Access control in a data processing apparatus

ABSTRACT

A data processing apparatus and method are provided for controlling access to a slave device, the slave device having an address range associated therewith. The apparatus comprises control storage programmable to define a partition identifying a secure region and a non-secure region in the address range, with the data processing apparatus supporting a plurality of modes of operation including a secure mode, and the control storage being programmable only by software executing in the secure mode. A master device is arranged to issue an access request onto a bus, the access request identifying a sequence of addresses within the address range and including a control signal indicating whether the access request is a secure access request or a non-secure access request. The secure region is only accessible by a secure access request. Further, access control logic is provided which is associated with the slave device, the access control logic being operable to receive the access request from the bus and an indication of the partition from the control storage and, if the access request is a non-secure access request, to prevent access to the secure region.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to access control techniques in a dataprocessing apparatus, and in particular to a data processing apparatusand method for controlling access to a slave device.

2. Description of the Prior Art

A typical data processing apparatus may include a number of masterdevices interconnected with a number of slave devices via bus circuitry.A master device is a device that initiates a transaction, and a slavedevice is a device that processes a transaction. When initiating atransaction, a master device will issue an access request, that accessrequest identifying a sequence of addresses (which may be one address ora plurality of addresses) associated with that transaction. Each slavedevice will typically have an address range associated therewith, andhence the sequence of addresses identified in the access request willidentify the target slave device for the transaction. The sequence ofaddresses within the access request can hence be used to ensure that thetransaction initiated by the master device is routed to the appropriateslave device. In the event of a write transaction, the associated writedata will also be routed from the master device to the relevant slavedevice for storing at the sequence of addresses, whilst in the event ofa read transaction, the slave device will respond to the transaction byreading data from the sequence of addresses identified by the accessrequest, and then returning that data to the master device.

It is also known within a data processing apparatus to allow differentmodes of operation to be supported with at least one mode beingconsidered a secure mode, and at least one mode being considered anon-secure mode. In such situations, steps need to be taken to ensurethat the data handled in the secure mode of operation, also referred toherein as secure data, cannot be accessed by programs executing in anon-secure mode of operation, as this could compromise the security ofthe secure data.

One way to address this problem is to provide one slave device forstoring secure data, with its associated address range hence beingconsidered a secure region, and a separate slave device for storingnon-secure data, with its associated address range hence beingconsidered as a non-secure region. As an example, one slave device maybe a secure memory, and the other slave device may be a non-securememory. A non-secure transaction can then be prevented from accessingthe secure memory.

However, a problem with such an approach is that, when a particular dataprocessing apparatus is designed, the proportion of the overall memoryspace of the apparatus (whether that be within dedicated memory devices,or registers and buffers within other types of slave device) that willneed to be defined as a secure region may not be known, because thesoftware applications that will be run on the data processing apparatusmay not be known, or because a variety of applications with differentsecurity requirements may be run on the data processing apparatus.Accordingly, it can be costly or inefficient to provide sufficientsecure regions and non-secure regions for all applications that mayforeseeably be run on the data processing apparatus.

Accordingly, it would be desirable to provide an improved technique forcontrolling access to slave devices in the data processing apparatus,which provides increased flexibility for the storage of secure data andnon-secure data.

SUMMARY OF THE INVENTION

Viewed from a first aspect, the present invention provides a dataprocessing apparatus operable to control access to a slave device, theslave device having an address range associated therewith, the apparatuscomprising: control storage programmable to define a partitionidentifying a secure region and a non-secure region in said addressrange, the data processing apparatus supporting a plurality of modes ofoperation including a secure mode, and the control storage beingprogrammable only by software executing in said secure mode; a masterdevice operable to issue an access request onto a bus, the accessrequest identifying a sequence of addresses within said address rangeand including a control signal indicating whether the access request isa secure access request or a non-secure access request, the secureregion only being accessible by a secure access request; and accesscontrol logic associated with the slave device, the access control logicbeing operable to receive the access request from the bus and anindication of the partition from the control storage and, if the accessrequest is a non-secure access request, to prevent access to the secureregion.

In accordance with the present invention a control storage (for exampleone or more registers) is provided which is programmable to define apartition identifying a secure region and a non-secure region within theaddress range of a slave device, this control storage being programmableonly by software executing in the secure mode. This hence provides amechanism for configuring the partition of an address range associatedwith a slave device into a secure region and a non-secure region, usingsoftware executing in a secure mode of operation.

When a master device issues an access request onto the bus, the accessrequest includes a control signal indicating whether the access requestis a secure access request or a non-secure access request, the secureregion only being accessible by a secure access request. Access controllogic is provided in association with the slave device, the accesscontrol logic being arranged to receive the access request from the busalong with an indication of the partition from the control storage.Using this information, the access control logic can then ensure that,if the access request is a non-secure access request, access to thesecure region is prevented.

This provides a very flexible approach to provision of secure regionsand non-secure regions within the address range of a slave device, withthe partition between the secure region and non-secure region then beingprogrammable dependent on the particular implementation. This henceenables one design of the data processing apparatus to be re-used forseveral different applications.

It will be appreciated that there are a number of ways in which thecontrol storage may define the partition. However, in one embodiment,the address range has a base address associated therewith and thecontrol storage contains an offset value that identifies relative to thebase address a boundary forming the partition between the secure regionand the non-secure region.

In one embodiment, the data processing apparatus has a secure domain anda non-secure domain, in the secure domain the data processing apparatushaving access to secure data which is not accessible in the non-securedomain, the secure region containing said secure data.

The provision of separate secure domains and non-secure domains providesa particularly secure environment in which to manage secure data andnon-secure data. Typically, within the non-secure domain there will beprovided a non-secure operating system and a plurality of non-secureapplication programs which execute in cooperation with the non-secureoperating system. In the secure domain, a secure kernel program may beprovided which can be considered to form a secure operating system.Typically such a secure kernel program will be designed to provide onlythose functions which are essential to processing activities which mustbe provided in the secure domain such that the secure kernel can be assmall and simple as possible since this will tend to make it moresecure. A plurality of secure applications can then be arranged toexecute in combination with the secure kernel.

The control signal included within the access request to indicatewhether the access request is a secure access request or a non-secureaccess request can take a variety of forms. However, in one embodiment,the control signal included within the access request is a domain signalidentifying whether the access request pertains to said secure domain orsaid non-secure domain.

If an application is loaded onto the data processing apparatus, it willby default be executed in the non-secure domain. In contrast, the securedomain is only used for certain specific secure functions, and hence isonly used to run certain secure applications. Hence, the presence of thesecure domain and the non-secure domain in effect defines two differentworlds within the device, namely a secure world in which certain keysecure functions are performed and a non-secure world in which all otherapplications are run. Since the domain signal issued by the masterdevice in association with the access request specifies which domain theaccess request pertains to, this identifies whether the access requestis a secure access request or not, and hence can be used by the accesscontrol logic to ensure that, if the access request is a non-secureaccess request, access to a secure region is prevented.

In one embodiment, the master device is operable in the plurality ofmodes and a plurality of domains, said plurality of domains comprising asecure domain and a non-secure domain, said plurality of modes includingat least one non-secure mode being a mode in the non-secure domain andat least one secure mode being a mode in the secure domain, said masterdevice being operable such that when executing a program in a securemode said program has access to secure data which is not accessible whensaid master device is operating in a non-secure mode, the secure regioncontaining said secure data.

In such embodiments, when operating in said at least one secure mode,the access request issued by the master device is said secure accessrequest, and when operating in said at least one non-secure mode, theaccess request issued by the master device is said non-secure accessrequest.

The access control logic can be arranged in a number of ways to ensurethat, if the access request is a non-secure access request, access tothe secure region is prevented. In one embodiment, the access controllogic comprises determination logic operable to determine having regardto the indication of the partition whether the sequence of addressesidentified by the access request at least partly lies within the secureregion, and if so to check that the control signal included within theaccess request indicates that the access request is a secure accessrequest. It will be appreciated that if it is determined that the accessrequest is a secure access request, then the access can proceed.However, if it is determined that the access request is a non-secureaccess request, then the access control logic can be arranged to causethe entire access request to be rejected if the sequence of addresses atleast partly lie within the secure region. Alternatively, if part of thesequence of addresses map to a non-secure region, then the correspondingpart of the access request can be processed, with only the part that isseeking to access the secure region being rejected.

In one embodiment, the address range comprises a plurality of blocks ofa predetermined size, the partition is located at a boundary between twoadjacent blocks of said plurality of blocks, and the sequence ofaddresses identified by the access request are required to be within oneof said blocks, the determination logic being operable to determinewhether a first address of said sequence is within the secure region orthe non-secure region. In such embodiments, it can be seen that it issufficient for the determination logic to determine whether a startaddress of the sequence is within the secure region or the non-secureregion, since it can be ensured that the remaining addresses in thesequence, if any, will also relate to the same region as the startaddress.

It will be appreciated that in one embodiment, the secure region and thenon-secure region may constitute the entirety of the address range.However, in one embodiment, the address range exceeds the physical sizeof storage within the slave device, the determination logic beingfurther operable to determine whether the sequence of addresses at leastpartly exceeds the physical size, and if so to prevent the slave devicebeing accessed. This approach provides a mechanism to control aliasingeffects, which might otherwise cause an address outside of the secureregion to be remapped into the secure region when decoded.

It will be appreciated that there are a number of ways in which theaccess control logic could arrange for access to the secure region to beprevented if the access request is a non-secure access request. In oneembodiment, the access request includes a valid signal which is assertedby the master device when the access request is issued, the accesscontrol logic comprising valid signal propagation logic operable toreceive the valid signal and to generate a replacement valid signal forrouting to the slave device, the valid signal propagation logic beingoperable to de-assert the replacement valid signal in the event that thedetermination logic determines that a non-secure access request isattempting to access the secure region. By this approach, the slavedevice will ignore the access request if the determination logicdetermines that a non-secure access request is attempting to access asecure region, since the access request will be viewed by the slavedevice as an invalid access request. In such embodiments, the addressinformation included in the access request can be routed to the slavedevice irrespective of the determination made by the access controllogic, since the de-assertion of the valid signal by the access controllogic is sufficient to ensure that the access request is not processedby the slave device.

It will be appreciated that there are a number of ways in which thewrite data associated with a write access request can be handled toensure that the access control logic is able to prevent access to thesecure region if the access request is a non-secure access request. Ifthe above described approach of using a valid signal is employed, whichis de-asserted in the event that the determination logic determines thata non-secure access request is attempting to access the secure region,then the write data can be allowed to be routed to the slave deviceirrespective of the determination made by the access control logic,since the de-assertion of the valid signal by the access control logicis sufficient to ensure that the access request is not processed by theslave device. In an alternative embodiment, the access control logic isoperable in the event of a non-secure access request specifying a writeoperation to prevent the write data of the access request being providedto the slave device if the determination logic determines that thatnon-secure access request is attempting to access the secure region. Insuch embodiments, logic will be incorporated into the write data pathwhich is responsive to a signal generated by the access control logic toeither pass the write data on to the slave device, or to prevent thewrite data being passed on to the slave device.

It will also be appreciated that for a read access request, there are anumber of ways in which the access request can be handled in the eventthat the access control logic determines that the access request is anon-secure access request and is attempting access to a secure region.In one embodiment, the access control logic is operable in the event ofa non-secure access request specifying a read operation to cause adefault read response to be returned to the master device if thedetermination logic determines that that non-secure access request isattempting to access the secure region. Such an approach can be used toensure compliance with any bus protocol associated with the buscircuitry interconnecting the master and slave devices. Such a busprotocol may require the return of some form of read response in replyto a read access request, and the use of a default read response canensure that compliance with this protocol is met, without allowingaccess to the secure region.

It will be appreciated that the slave device may take a variety offorms, for example a bridge to another domain, a peripheral device suchas an I/O interface, etc., but in one embodiment the slave device is amemory. In such embodiments, the data processing apparatus may typicallyfurther comprise a memory interface operable to access said memory, theaccess control logic being coupled between the bus and the memoryinterface.

The data processing apparatus can take a variety of forms. However, inone embodiment, the data processing apparatus is a System-on-Chip (SoC),and further comprises an on-chip memory forming said slave device.

Viewed from a second aspect, the present invention provides slave devicecontrol logic or use in a data processing apparatus to control access toa slave device, the slave device having an address range associatedtherewith, the slave device control logic comprising: control storageprogrammable to define a partition identifying a secure region and anon-secure region in said address range, the data processing apparatussupporting a plurality of modes of operation including a secure mode,and the control storage being programmable only by software executing insaid secure mode; and access control logic associated with the slavedevice, the access control logic being operable to receive an accessrequest from a bus and an indication of the partition from the controlstorage and, if the access request is a non-secure access request, toprevent access to the secure region.

Viewed from a third aspect, the present invention provides a method ofoperating a data processing apparatus to control access to a slavedevice, the slave device having an address range associated therewith,the method comprising the steps of: programming within a control storagea partition identifying a secure region and a non-secure region in saidaddress range, the data processing apparatus supporting a plurality ofmodes of operation including a secure mode, and the control storagebeing programmable only by software executing in said secure mode;issuing from a master device an access request onto a bus, the accessrequest identifying a sequence of addresses within said address rangeand including a control signal indicating whether the access request isa secure access request or a non-secure access request, the secureregion only being accessible by a secure access request; and employingaccess control logic associated with the slave device to receive theaccess request from the bus and an indication of the partition from thecontrol storage and, if the access request is a non-secure accessrequest, to prevent access to the secure region.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described further, by way of example only,with reference to embodiments thereof as illustrated in the accompanyingdrawings, in which:

FIG. 1 is a block diagram schematically illustrating a data processingapparatus in accordance with preferred embodiments of the presentinvention;

FIG. 2 schematically illustrates different programs operating in anon-secure domain and a secure domain;

FIG. 3 schematically illustrates a matrix of processing modes associatedwith different security domains;

FIGS. 4 and 5 schematically illustrate different relationships betweenprocessing modes and security domains:

FIG. 6 illustrates one programmer's model of a register bank of aprocessor depending upon the processing mode;

FIG. 7 illustrates an example of providing separate register banks for asecure domain and a non-secure domain;

FIG. 8 schematically illustrates a plurality of processing modes withswitches between security domains being made via a separate monitormode;

FIG. 9 schematically illustrates a scenario for security domainswitching using a mode switching software interrupt instruction;

FIG. 10 schematically illustrates one example of how non-secureinterrupt requests and secure interrupt requests may be processed by thesystem;

FIGS. 11A and 11B schematically illustrate an example of non-secureinterrupt request processing and an example of secure interrupt requestprocessing in accordance with FIG. 10;

FIG. 12 illustrates an alternative scheme for the handling of non-secureinterrupt request signals and secure interrupt request signals comparedto that illustrated in FIG. 10;

FIGS. 13A and 13B illustrate example scenarios for dealing with anon-secure interrupt request and a secure interrupt request inaccordance with the scheme illustrated in FIG. 12;

FIG. 14 is an example of a vector interrupt table;

FIG. 15 schematically illustrates multiple vector interrupt tablesassociated with different security domains;

FIG. 16 schematically illustrates an exception control register;

FIG. 17 is a flow diagram illustrating how an instruction attempting tochange a processing status register in a manner that alters the securitydomain setting can generate a separate mode change exception which inturn triggers entry into the monitor mode and running of the monitorprogram;

FIG. 18 schematically shows a thread of control of a processor operatingin a plurality of modes, wherein a task in monitor mode is interrupted;

FIG. 19 schematically shows a different thread of control of a processoroperating in a plurality of modes;

FIG. 20 schematically shows a further thread of control of a processoroperating in a plurality of modes, wherein interrupts are enabled inmonitor mode;

FIGS. 21 to 23 illustrate a view of different processing modes andscenario for switching between secure and non-secure domains inaccordance with another example embodiment(s);

FIG. 24 schematically illustrates the concept of adding a secureprocessing option to a traditional ARM core;

FIG. 25 schematically illustrates a processor having a secure andnon-secure domain and reset;

FIG. 26 schematically illustrates the delivering of processing requeststo a suspended operating system using a software faked interrupt;

FIG. 27 schematically illustrates another example of the delivering of aprocessing request to a suspended operating system via a software fakedinterrupt;

FIG. 28 is a flow diagram schematically illustrating processingperformed upon receipt of a software faked interrupt of the typegenerated in FIGS. 26 and 27;

FIGS. 29 and 30 schematically illustrate task following by a secureoperating system to track possible task switches made by a non-secureoperating system;

FIG. 31 is a flow diagram schematically illustrating the processingperformed upon receipt of a call at the secure operating system of FIGS.29 and 30;

FIG. 32 is a diagram schematically illustrating the problem of interruptpriority inversion which may occur in a system having multiple operatingsystems where different interrupts may be handled by different operatingsystems;

FIG. 33 is a diagram schematically illustrating the use of stubinterrupt handlers to avoid the problem illustrated in FIG. 32; and

FIG. 34 schematically illustrates how different types and priorities ofinterrupts may be handled depending upon whether or not they can beinterrupted by an interrupt which will be serviced using a differentoperating system;

FIG. 35 illustrates how the processor configuration data is overriddenwith monitor mode specific processor configuration data when theprocessor is operating in monitor mode;

FIG. 36 is a flow diagram illustrating how the processor configurationdata is switched when transitioning between the secure domain and thenon-secure domain in accordance with one embodiment to the presentinvention:

FIG. 37 is a diagram illustrating the memory management logic used inone embodiment of the present invention to control access to memory;

FIG. 38 is a block diagram illustrating the memory management logic of asecond embodiment of the present invention used to control access tomemory;

FIG. 39 is a flow diagram illustrating the process performed in oneembodiment of the present invention within the memory management logicto process a memory access request that specifies a virtual address;

FIG. 40 is a flow diagram illustrating the process performed in oneembodiment of the present invention within the memory management logicto process a memory access request that specifies a physical address:

FIG. 41 schematically illustrates how the partition checker of preferredembodiments is operable to prevent access to a physical address withinsecure memory when the device issuing the memory access request isoperating in a non-secure mode;

FIG. 42 is a diagram illustrating the use of both a non-secure pagetable and a secure page table in preferred embodiments of the presentinvention;

FIG. 43 is a diagram illustrating two forms of flag used within the maintranslation lookaside buffer (TLB) of preferred embodiments;

FIG. 44 illustrates how memory may be partitioned after a boot stage inone embodiment of the present invention;

FIG. 45 illustrates the mapping of the non-secure memory by the memorymanagement unit following the performance of the boot partition inaccordance with an embodiment of the present invention;

FIG. 46 illustrates how the rights of a part of memory can be altered toallow a secure application to share memory with a non-secure applicationin accordance with an embodiment of the present invention;

FIG. 47 illustrates how devices may be connected to the external bus ofthe data processing apparatus in accordance with one embodiment of thepresent invention:

FIG. 48 is a block diagram illustrating how devices may be coupled tothe external bus in accordance with the second embodiment of the presentinvention;

FIG. 49 illustrates the arrangement of physical memory in embodimentswhere a single set of page tables is used;

FIG. 50A illustrates an arrangement in which two MMUs are used toperform virtual to physical address translation via an intermediateaddress;

FIG. 50B illustrates an alternative arrangement in which two MMUs areused to perform virtual to physical address translation via anintermediate address;

FIG. 51 illustrates, by way of example, the correspondence betweenphysical address space and intermediate address space for both thesecure domain and the non-secure domain;

FIG. 52 illustrates the swapping of memory regions between secure andnon-secure domains through manipulation of the page tables associatedwith the second MMU;

FIG. 53 is an embodiment illustrating an implementation using a singleMMU, and where a miss in the main TLB causes an exception to be invokedto determine the virtual to physical address translation;

FIG. 54 is a flow diagram illustrating the process performed by theprocessor core in order to action an exception issued upon occurrence ofa miss in the main TLB of the MMU of FIG. 53;

FIG. 55 is a block diagram illustrating components provided within adata processing apparatus of one embodiment, in which the cache isprovided with information as to whether the data stored in individualcache lines is secure data or non-secure data;

FIG. 56 illustrates the construction of the memory management unitillustrated in FIG. 55;

FIG. 57 is a flow diagram illustrating the processing performed withinthe data processing apparatus of FIG. 55 to process a non-secure memoryaccess request;

FIG. 58 is a flow diagram illustrating the processing performed withinthe data processing apparatus of FIG. 55 in order to process a securememory access request;

FIG. 59 schematically shows possible granularity of monitoring functionsfor different modes and applications running on a processor;

FIG. 60 shows possible ways of initiating different monitoringfunctions;

FIG. 61 shows a table of control values for controlling availability ofdifferent monitoring functions;

FIG. 62 shows a positive-edge triggered FLIP-FLOP view;

FIG. 63 a scan chain cell;

FIG. 64 shows a plurality of scan chain cells in a scan chain;

FIG. 65 shows a debug TAP controller:

FIG. 66A shows a debug TAP controller with a JADI input;

FIG. 66B shows a scan chain cell with a bypass register;

FIG. 67 schematically illustrates a processor comprising a core, scanchains and a Debug Status and Control Register;

FIG. 68 schematically illustrates the factors controlling debug or traceinitialisation;

FIGS. 69A and 69B show a summary of debug granularity;

FIG. 70 schematically illustrates the granularity of debug while it isrunning;

FIGS. 71A and 71B show monitor debug when debug is enabled in secureworld and when it is not enabled respectively;

FIG. 72 is a block diagram of a data processing apparatus in accordancewith one embodiment of the present invention;

FIG. 73 is a diagram illustrating in more detail the logic providedwithin the protection controller of FIG. 72;

FIG. 74 illustrates how the address range associated with the on-chipmemory of FIG. 72 can be partitioned in accordance with embodiments ofthe present invention;

FIG. 75 is a diagram illustrating in more detail the logic providedwithin the on-chip memory adapter of FIG. 72;

FIG. 76 is a diagram illustrating the logic provided within thedetermination logic of FIG. 75 in accordance with one embodiment; and

FIG. 77 is a flow diagram illustrating the operations performed by theon-chip memory adapter of FIG. 72 in accordance with one embodiment ofthe present invention.

DESCRIPTION OF EMBODIMENTS

FIG. 1 is a block diagram illustrating a data processing apparatus inaccordance with preferred embodiments of the present invention. The dataprocessing apparatus incorporates a processor core 10 within which isprovided an arithmetic logic unit (ALU) 16 arranged to execute sequencesof instructions. Data required by the ALU 16 is stored within a registerbank 14. The core 10 is provided with various monitoring functions toenable diagnostic data to be captured indicative of the activities ofthe processor core. As an example, an Embedded Trace Module (ETM) 22 isprovided for producing a real time trace of certain activities of theprocessor core in dependence on the contents of certain controlregisters 26 within the ETM 22 defining which activities are to betraced. The trace signals are typically output to a trace buffer fromwhere they can subsequently be analysed. A vectored interrupt controller21 is provided for managing the servicing of a plurality of interruptswhich may be raised by various peripherals (not illustrated).

Further, as shown in FIG. 1, another monitoring functionality that canbe provided within the core 10 is a debug function, a debuggingapplication external to the data processing apparatus being able tocommunicate with the core 10 via a Joint Test Access Group (JTAG)controller 18 which is coupled to one or more scan chains 12.Information about the status of various parts of the processor core 10can be output via the scan chains 12 and the JTAG controller 18 to theexternal debugging application. An In Circuit Emulator (ICE) 20 is usedto store within registers 24 conditions identifying when the debugfunctions should be started and stopped, and hence for example will beused to store breakpoints, watchpoints, etc.

The core 10 is coupled to a system bus 40 via memory management logic 30which is arranged to manage memory access requests issued by the core 10for access to locations in memory of the data processing apparatus.Certain parts of the memory may be embodied by memory units connecteddirectly to the system bus 40, for example the Tightly Coupled Memory(TCM) 36, and the cache 38 illustrated in FIG. 1. Additional devices mayalso be provided for accessing such memory, for example a Direct MemoryAccess (DMA) controller 32. Typically, various control registers 34 willbe provided for defining certain control parameters of the variouselements of the chip, these control registers also being referred toherein as coprocessor 15 (CP 15) registers.

The chip containing the core 10 may be coupled to an external bus 70(for example a bus operating in accordance with the “AdvancedMicrocontroller Bus Architecture” (AMBA) specification developed by ARMLimited) via an external bus interface 42, and various devices may beconnected to the external bus 70. These devices may include masterdevices such as a digital signal processor (DSP) 50, or a direct memoryaccess (DMA) controller 52, as well as various slave devices such as theboot ROM 44, the screen driver 46, the external memory 56, aninput/output (I/O) interface 60 or a key storage unit 64. These variousslave devices illustrated in FIG. 1 can all be considered asincorporating parts of the overall memory of the data processingapparatus. For example, the boot ROM 44 will form part of theaddressable memory of the data processing apparatus, as will theexternal memory 56. Further, devices such as the screen driver 46, I/Ointerface 60 and key storage unit 64 will all include internal storageelements such as registers or buffers 48, 62, 66, respectively, whichare all independently addressable as part of the overall memory of thedata processing apparatus. As will be discussed in more detail later, apart of the memory, e.g. part of external memory 56, will be used tostore one or more page tables 58 defining information relevant tocontrol of memory accesses.

As will be appreciated by those skilled in the art, the external bus 70will typically be provided with arbiter and decoder logic 54, thearbiter being used to arbitrate between multiple memory access requestsissued by multiple master devices, for example the core 10, the DMA 32,the DSP 50, the DMA 52, etc, whilst the decoder will be used todetermine which slave device on the external bus should handle anyparticular memory access request.

Whilst in some embodiments, the external bus may be provided externallyto the chip containing the core 10, in other embodiments the externalbus will be provided on-chip with the core 10. This has the benefit thatsecure data on the external bus is easier to keep secure than when theexternal bus is off-chip; when the external bus is off-chip, dataencryption techniques may be used to increase the security of securedata.

FIG. 2 schematically illustrates various programs running on aprocessing system having a secure domain and a non-secure domain. Thesystem is provided with a monitor program 72 which executes at leastpartially in a monitor mode. In this example embodiment security statusflag is write accessible only within the monitor mode and may be writtenby the monitor program 72. The monitor program 72 is responsible formanaging all changes between the secure domain and the non-secure domainin either direction. From a view external to the core the monitor modeis always secure and the monitor program is in secure memory.

Within the non-secure domain there is provided a non-secure operatingsystem 74 and a plurality of non-secure application programs 76, 78which execute in co-operation with the non-secure operating system 74.In the secure domain, a secure kernel program 80 is provided. The securekernel program 80 can be considered to form a secure operating system.Typically such a secure kernel program 80 will be designed to provideonly those functions which are essential to processing activities whichmust be provided in the secure domain such that the secure kernel 80 canbe as small and simple as possible since this will tend to make it moresecure. A plurality of secure applications 82, 84 are illustrated asexecuting in combination with the secure kernel 80.

FIG. 3 illustrates a matrix of processing modes associated withdifferent security domains. In this particular example the processingmodes are symmetrical with respect to the security domain andaccordingly Mode 1 and Mode 2 exist in both secure and non-secure forms.

The monitor mode has the highest level of security access in the systemand in this example embodiment is the only mode entitled to switch thesystem between the non-secure domain and the secure domain in eitherdirection. Thus, all domain switches take place via a switch to themonitor mode and the execution of the monitor program 72 within themonitor mode.

FIG. 4 schematically illustrates another set of non-secure domainprocessing modes 1, 2, 3, 4 and secure domain processing modes a, b, c.In contrast to the symmetric arrangement of FIG. 3, FIG. 4 shows thatsome of the processing modes may not be present in one or other of thesecurity domains. The monitor mode 86 is again illustrated as straddlingthe non-secure domain and the secure domain. The monitor mode 86 can beconsidered a secure processing mode, since the secure status flag may bechanged in this mode and monitor program 72 in the monitor mode has theability to itself set the security status flag it effectively providesthe ultimate level of security within the system as a whole.

FIG. 5 schematically illustrates another arrangement of processing modeswith respect to security domains. In this arrangement both secure andnon-secure domains are identified as well as a further domain. Thisfurther domain may be such that it is isolated from other parts of asystem in a way that it does not need to interact with either of thesecure domain or non-secure domain illustrated and as such the issue ofto which of these it belongs to is not relevant.

As will be appreciated a processing system, such as a microprocessor isnormally provided with a register bank 88 in which operand values may bestored. FIG. 6 illustrates a programmer's model view of an exampleregister bank with dedicated registers being provided for certain of theregister numbers in certain of the processing modes. More particularly,the example of FIG. 6 is an extension of the known ARM register bank(e.g. as provided in ARM7 processors of ARM Limited. Cambridge, England)which is provided with a dedicated saved program status register, adedicated stack pointer register and a dedicated link register R14 foreach processing mode, but in this case extended by the provision of amonitor mode. As illustrated in FIG. 6, the fast interrupt mode hasadditional dedicated registers provided such that upon entry of the fastinterrupt mode there is no need to save and then restore registercontents from other modes. The monitor mode may in alternativeembodiments also be provided with dedicated further registers in asimilar manner to the fast interrupt mode so as to speed up processingof a security domain switch and reduce system latency associated withsuch switches.

FIG. 7 schematically illustrates another embodiment in which theregister bank 88 is provided in the form of two complete and separateregister banks that are respectively used in the secure domain and thenon-secure domain. This is one way in which secure data stored withinregisters operable in the secure domain can be prevented from becomingaccessible when a switch is made to the non-secure domain. However, thisarrangement hinders the possibility of passing data from the non-securedomain to the secure domain as may be permitted and desirable by usingthe fast and efficient mechanism of placing it in a register which isaccessible in both the non-secure domain and the secure domain.

An important advantage of having secure register bank is to avoid theneed for flushing the contents of registers before switching from oneworld to the other. If latency is not a critical issue, a simplerhardware system with no duplicated registers for the secure domain worldmay be used, e.g. FIG. 6. The monitor mode is responsible switching fromone domain to the other. Restoring context, saving previous context, aswell as flushing registers is performed by a monitor program at leastpartially executing in monitor mode. The system behaves thus like avirtualisation model. This type of embodiment is discussed furtherbelow. Reference should be made to, for example, the programmer's modelof the ARM7 upon which the security features described herein build.

Processor Modes

Instead of duplicating modes in secure world, the same modes supportboth secure and non-secure domains (see FIG. 8). Monitor mode is awareof the current status of the core, either secure or non-secure (e.g. asread from an S bit stored is a coprocessor configuration register).

In the FIG. 8, whenever an SMI (Software Monitor Interrupt instruction)occurs, the core enters monitor mode to switch properly from one worldto the other.

With reference to FIG. 9 in which SMIs are permitted from user mode:

-   1. The scheduler launches thread 1-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Under hardware control the current PC and    CPSR (current processor status register) are stored in R14_mon and    SPSR_mon (saved processor status register for the monitor mode) and    IRQ/FIQ interrupts are disabled.-   3. The monitor program does the following tasks:    -   The S bit is set (the secure status flag).

Saves at least R14_mon and SPSR_mon in a stack so that non-securecontext cannot be lost if an exception occurs whilst the secureapplication is running.

-   -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table in some example embodiments)        indicates that thread 1 is active in the secure world.    -   IRQ/FIQ interrupts are re-enabled. A secure application can then        start in secure user mode.

-   4. Secure thread 1 runs until it finishes, then branches (SMI) onto    the ‘return from secure’ function of the monitor program mode    (IRQ/FIQ interrupts are then disabled when the core enters monitor    mode)

-   5. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (e.g., in the case of        a thread ID table, remove thread 1 from the table).    -   Restore from stack non-secure context and flush required        registers, so that no secure data can be read once return has        been made to the non-secure domain.    -   Then branches back to the non-secure domain with a SUBS        instruction (this restores the program counter to the correct        point and updates the status flags), restoring the PC (from        restored R14_mon) and CPSR (from SPSR_mon). So, the return point        in the non-secure domain is the instruction following the        previously executed SMI in thread 1.

-   6. Thread 1 executes until the end, then gives the hand back to the    scheduler.

Some of the above functionality may be split between the monitor programand the secure operating system depending upon the particularembodiment.

In other embodiments it may be desired not to allow SMIs to occur inuser modes.

Secure World Entry

Reset

When a hardware reset occurs, the MMU is disabled and the ARM core(processor) branches to secure supervisor mode with the S bit set. Oncethe secure boot is terminated an SMI to go to monitor mode may beexecuted and the monitor can switch to the OS in non-secure world(non-secure svc mode) if desired. If it is desired to use a legacy OSthis can simply boot in secure supervisor mode and ignore the securestate.

SMI Instruction

This instruction (a mode switching software interrupt instruction) canbe called from any non-secure modes in the non-secure domain (aspreviously mentioned it may be desired to restrict SMIs to privilegedmodes), but the target entry point determined by the associated vectoris always fixed and within monitor mode. Its up to the SMI handler tobranch to the proper secure function that must be run (e.g. controlledby an operand passed with the instruction).

Passing parameters from non-secure world to secure world can beperformed using the shared registers of the register bank within a FIG.6 type register bank.

When a SMI occurs in non-secure world, the ARM core may do the followingactions in hardware:

-   -   Branch to SMI vector (in secure memory access is allowed since        you will now be in monitor mode) into monitor mode    -   Save PC into R14_mon and CPSR into SPSR_mon    -   Set the S bit using the monitor program    -   Start to execute secure exception handler in monitor mode        (restore/save context in case of multi-threads)    -   Branch to secure user mode (or another mode, like svc mode) to        execute the appropriate function    -   IRQ and FIQ are disabled while the core is in monitor mode        (latency is increased)

Secure World Exit

There are two possibilities to exit secure world:

-   -   The secure function is finished and we return into previous        non-secure mode that had called this function.    -   The secure function is interrupted by a non-secure exception        (e.g. IRQ/FIQ/SMI).

Normal End of Secure Function

The secure function terminates normally and we need to resume anapplication in the non-secure world at the instruction just after theSMI. In the secure user mode, a ‘SMI’ instruction is performed to returnto monitor mode with the appropriate parameters corresponding to a‘return from secure world’ routine. At this stage, the registers areflushed to avoid leakage of data between non-secure and secure worlds,then non-secure context general purpose registers are restored andnon-secure banked registers are updated with the value they had innon-secure world. R14_mon and SPSR_mon thus get the appropriate valuesto resume the non-secure application after the SMI, by executing a ‘MOVSPC, R14’ instruction.

Exit of Secure Function Due to a Non-Secure Exception

In this case, the secure function is not finished and the secure contextmust be saved before going into the non-secure exception handler,whatever the interrupts are that need to be handled.

Secure Interrupts

There are several possibilities for secure interrupts.

Two possible solutions are proposed which depend on:

-   -   What kind of interrupt it is (secure or non-secure)    -   What mode the core is in when the IRQ occurs (either in secure        or in non-secure world)

Solution One

In this solution, two distinct pins are required to support secure andnon-secure interrupts.

While in Non Secure world, if

-   -   an IRQ occurs, the core goes to IRQ mode to handle this        interrupt as in ARM cores such as the ARM7    -   a SIRQ occurs, the core goes to monitor mode to save non-secure        context and then to a secure IRQ handler to deal with the secure        interrupt.

While in Secure world, if

-   -   an SIRQ occurs, the core goes to the secure IRQ handler. The        core does not leave the secure world    -   an IRQ occurs, the core goes to monitor mode where secure        context is saved, then to a non-secure IRQ handler to deal with        this non-secure interrupt.

In other words, when an interrupt that does not belong to the currentworld occurs, the core goes directly to monitor mode, otherwise it staysin the current world (see FIG. 10).

IRQ Occurring in Secure World

See FIG. 11A:

-   1. The scheduler launches thread 1.-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Current PC and CPSR are stored in R14_mon    and SPSR_mon, IRQ/FIQ are disabled.-   3. The monitor handler (program) does the following tasks:    -   The S bit is set.    -   Saves at least R14_mon and SPSR_mon in a stack (and possibly        other registers are also pushed) so that non-secure context        cannot be lost if an exception occurs whilst the secure        application is running.    -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table) indicates that thread 1 is        active in the secure world.    -   Secure application can then start in the secure user mode.        IRQ/FIQ are then re-enabled.-   4. An IRQ occurs while secure thread 1 is running. The core jumps    directly to monitor mode (specific vector) and stores current PC in    R14_mon and CPSR in SPSR_mon in monitor mode, (IRQ/FIQ are then    disabled).-   5. Secure context must be saved, previous non-secure context is    restored. The monitor handler may be to IRQ mode to update    R14_irq/SPSR_irq with appropriate values and then passes control to    a non-secure IRQ handler.-   6. The IRQ handler services the IRQ, then gives control back to    thread 1 in the non-secure world. By restoring SPRS_irq and R14_irq    into the CPSR and PC, thread 1 is now pointing onto the SMI    instruction that has been interrupted.-   7. The SMI instruction is re-executed (same instruction as 2).-   8. The monitor handler sees this thread has previously been    interrupted, and restores the thread 1 context. It then branches to    secure thread 1 in user mode, pointing onto the instruction that has    been interrupted.-   9. Secure thread 1 runs until it finishes, then branches onto the    ‘return from secure’ function in monitor mode (dedicated SMI).-   10. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (i.e., in the case of        a thread ID table, remove thread 1 from the table).    -   restore from stack non-secure context and flush required        registers, so that no secure data can be read once a return is        made to non-secure world.    -   branches back to the non-secure world with a SUBS instruction,        restoring the PC (from restored R14_mon) and CPSR (from        SPSR_mon). So, the return point in the non-secure world should        be the instruction following the previously executed SMI in        thread 1.-   11. Thread 1 executes until the end, then gives control back to the    scheduler.

SIRO Occurring in Non-Secure World

See FIG. 11B:

-   1. The schedule launches thread 1-   2. A SIRQ occurs while secure thread 1 is running. The core jumps    directly to monitor mode (specific vector) and stores current PC in    R14_mon and CPSR in SPSR_mon in monitor mode, IRQ/FIQ are then    disabled.-   3. Non-Secure context must be saved, then the core goes to a secure    IRQ handler.-   4. The IRQ handler services the SIRQ, then gives control back to the    monitor mode handler using an SMI with appropriate parameters.-   5. The monitor handler restores non-secure context so that a SUBS    instruction makes the core return to the non-secure world and    resumes the interrupted thread 1.-   6. Thread 1 executes until the end, then gives the hand back to the    scheduler.

The mechanism of FIG. 11A has the advantage of providing a deterministicway to enter secure world. However, there are some problems associatedwith interrupt priority: e.g. while a SIRQ is running in secureinterrupt handler, a non-secure IRQ with higher priority may occur. Oncethe non-secure IRQ is finished, there is a need to recreate the SIRQevent so that the core can resume the secure interrupt.

Solution Two

In this mechanism (See FIG. 12) two distinct pins, or only one, maysupport secure and non-secure interrupts. Having two pins reducesinterrupt latency.

While in Non Secure world, if

-   -   an IRQ occurs, the core goes to IRQ mode to handle this        interrupt like in ARM7 systems    -   a SIRQ occurs, the core goes to an IRQ handler where an SMI        instruction will make the core branch to monitor mode to save        non-secure context and then to a secure IRQ handler to deal with        the secure interrupt.

While in a Secure world, if

-   -   a SIRQ occurs, the core goes to the secure IRQ handler. The core        does not leave the secure world    -   an IRQ occurs, the core goes to the secure IRQ handler where an        SMI instruction will make the core branch to monitor mode (where        secure context is saved), then to a non-secure IRQ handler to        deal with this non-secure interrupt.

IRQ Occurring in Secure World

See FIG. 13A:

-   1. The schedule launches thread 1.-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Current PC and CPSR are stored in R14_mon    and SPSR_mon, IRQ/FIQ are disabled.-   3. The monitor handler does the following tasks:    -   The S bit is set.    -   Saves at least R14_mon and SPSR_mon in a stack (eventually other        registers) so that non-secure context cannot be lost if an        exception occurs whilst the secure application is running.    -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table) indicates that thread 1 is        active in the secure world.    -   Secure application can then start in the secure user mode.        IRQ/FIQ are re-enabled.-   4. An IRQ occurs while secure thread 1 is running. The core jumps    directly to secure IRQ mode.-   5. The core stores current PC in R14_irq and CPSR in SPSR_irq. The    IRQ handler detects this is a non-secure interrupt and performs a    SMI to enter monitor mode with appropriate parameters.-   6. Secure context must be saved, previous non-secure context is    restored. The monitor handler knows where the SMI came from by    reading the CPSR. It can also go to IRQ mode to read    R14_irq/SPSR_irq to save properly secure context. It can also save    in these same registers the non-secure context that must be restored    once the IRQ routine will be finished.-   7. The IRQ handler services the IRQ, then gives control back to    thread 1 in the non-secure world. By restoring SPRS_irq and R14_irq    into the CPSR and PC, the core is now pointing onto the SMI    instruction that has been interrupted.-   8. The SMI instruction is re-executed (same instruction as 2).-   9. The monitor handler sees this thread has previously been    interrupted, and restores the thread 1 context. It then branches to    secure thread 1 in user mode, pointing to the instruction that has    been interrupted.-   10. Secure thread 1 runs until it finishes, then branches onto the    ‘return from secure’; function in monitor mode (dedicated SMI).-   11. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (i.e., in the case of        a thread ID table, remove thread 1 from the table).    -   restores from stack non-secure context and flushes required        registers, so that no secure information can be read once we        return in non-secure world.    -   branches back to the non-secure world with a SUBS instruction,        restoring the PC (from restored R14_mon) and CPSR (from        SPSR_mon). The return point in the non-secure world should be        the instruction following the previously executed SMI in thread        1.-   12. Thread 1 executes until the end, then gives the hand back to the    scheduler.

SIRQ Occurring in Non-Secure World

See FIG. 13B:

-   1. The schedule launches thread 1.-   2. A SIRQ occurs while secure thread 1 is running.-   3. The core jumps directly irq mode and stores current PC in R14_irq    and CPSR in SPSR_irq. IRQ is then disabled. The IRQ handler detects    this is a SIRQ and performs a SMI instruction with appropriate    parameters.-   4. Once in monitor mode, non-secure context must be saved, then the    core goes to a secure IRQ handler.-   5. The secure IRQ handler services the SIRQ service routine, then    gives control back to monitor with SMI with appropriate parameters.-   6. The monitor handler restores non-secure context so that a SUBS    instruction makes the core returns to non-secure world and resumes    the interrupted IRQ handler.-   7. The IRQ handler may then return to the non-secure thread by    performing a SUBS.-   8. Thread 1 executes until the end, then gives control back to the    scheduler.

With the mechanism of FIG. 12, there is no need to recreate the SIRQevent in the case of nested interrupts, but there is no guarantee thatsecure interrupts will be performed.

Exception Vectors

At least two physical vector tables are kept (although from a virtualaddress point of view they may appear as a single vector table), one forthe non-secure world in non-secure memory, the one for the secure worldin secure memory (not accessible from non-secure world). The differentvirtual to physical memory mappings used in the secure and non-secureworlds effectively allow the same virtual memory addresses to accessdifferent vector tables stored in physical memory. The monitor mode mayalways use flat memory mapping to provide a third vector table inphysical memory.

If the interrupts follow the FIG. 12 mechanism, there would be thefollowing vectors shown in FIG. 14 for each table. This vector set isduplicated in both secure and non-secure memory. Exception Vector OffsetCorresponding Mode Reset 0x00 Supervisor Mode (S bit set) Undef 0x04Monitor mode/Undef mode SWI 0x08 Supervisor mode/Monitor mode PrefetchAbort 0x0C Abort mode/Monitor mode Data Abort 0x10 Abort mode/MonitorMode IRQ/SIRQ 0x18 IRQ mode FIQ 0x1X FIQ mode SMI 0x20 Undefmode/Monitor mode

NB. The Reset entry is only in the secure vector table. When a Reset isperformed in non secure world, the core hardware forces entry ofsupervisor mode and setting of the S bit so that the Reset vector can beaccessed in secure memory.

FIG. 15 illustrates three exception vector tables respectivelyapplicable to a secure mode, a non-secure mode and the monitor mode.These exception vector tables may be programmed with exception vectorsin order to match the requirements and characteristics of the secure andnon-secure operating systems. Each of the exception vector tables mayhave an associated vector table base address register within CP15storing a base address pointing to that table within memory. When anexception occurs the hardware will reference the vector table baseaddress register corresponding to the current state of the system todetermine the base address of the vector table to be used.Alternatively, the different virtual to physical memory mappings appliedin the different modes may be used to separate the three differentvector table stored at different physical memory addresses. Asillustrated in FIG. 16, an exception trap mask register is provided in asystem (configuration controlling) coprocessor (CP15) associated withthe processor core. This exception trap mask register provides flagsassociated with respective exception types. These flags indicate whetherthe hardware should operate to direct processing to either the vectorfor the exception concerned within its current domain or should force aswitch to the monitor mode (which is a type of secure mode) and thenfollow the vector in the monitor mode vector table. The exception trapmask register (exception control register) is only writable from themonitor mode. It may be that read access is also prevented to theexception trap mask register when in a non-secure mode. It will be seenthat the exception trap mask register of FIG. 16 does not include a flagfor the reset vector as the system is configured to always force this tojump to the reset vector in the secure supervisor mode as specified inthe secure vector table in order to ensure a secure boot and backwardscompatibility. It will be seen that in FIG. 15, for the sake ofcompleteness, reset vectors have been shown in the vector tables otherthan the secure supervisor mode secure vector table.

FIG. 16 also illustrates that the flags for the different exceptiontypes within the exception trap mask register are programmable, such asby the monitor program during secure boot. Alternatively, some or all ofthe flags may in certain implementations be provided by physical inputsignals, e.g. the secure interrupt flag SIRQ may be hardwired to alwaysforce monitor mode entry and execution of the corresponding monitor modesecure interrupt request vector when a secure interrupt signal isreceived. FIG. 16 illustrates only that portion of the exception trapregister concerned with non-secure domain exceptions, a similar set ofprogrammable bits will be provided for secure domain exceptions.

Whilst it will be understood from the above that at one level thehardware acts to either force an interrupt to be serviced by the currentdomain exception handler or the monitor mode exception handler dependingupon the exception control register flags, this is only the first levelof control that is applied. As an example, it is possible for anexception to occur in the secure mode, the secure mode exception vectorto be followed to the secure mode exception handler, but this securemode exception handler then decide that the exception is of a naturethat it is better dealt with by the non-secure exception handler andaccordingly utilise an SMI instruction to switch to the non-secure modeand invoke the non-secure exception handler. The converse is alsopossible where the hardware might act to initiate the non-secureexception handler, but this then execute instructions which directprocessing to the secure exception handler or the monitor mode exceptionhandler.

FIG. 17 is a flow diagram schematically illustrating the operation ofthe system so as to support another possible type of switching requestassociated with a new type of exception. At step 98 the hardware detectsany instruction which is attempting to change to monitor mode asindicate in a current program status register (CPSR). When such anattempt is detected, then a new type of exception is triggered, thisbeing referred to herein as a CPSR violation exception. The generationof this CPSR violation exception at step 100 results in reference to anappropriate exception vector within the monitor mode and the monitorprogram is run at step 102 to handle the CPSR violation exception.

It will be appreciated that the mechanisms for initiating a switchbetween secure domain and non-secure domain discussed in relation toFIG. 17 may be provided in addition to support for the SMI instructionpreviously discussed. This exception mechanism may be provided torespond to unauthorised attempts to switch mode as all authorisedattempts should be made via an SMI instruction. Alternatively, such amechanism may be legitimate ways to switch between the secure domain andthe non-secure domain or may be provided in order to give backwardscompatibility with existing code which, for example, might seek to clearthe processing status register as part of its normal operation eventhough it was not truly trying to make an unauthorised attempt to switchbetween the secure domain and the non-secure domain.

As described above, in general interrupts are disabled when theprocessor is operating in monitor mode. This is done to increase thesecurity of the system. When an interrupt occurs the state of theprocessor at that moment is stored in interrupt exception registers sothat on completion of the interrupt function the processing of theinterrupted function can be resumed at the interrupt point. If thisprocess were allowed in monitor mode it could reduce the security of themonitor mode, giving a possible secure data leakage path. For thisreason interrupts are generally disabled in monitor mode. However, oneconsequence of disabling interrupts during monitor mode is thatinterrupt latency is increased.

It would be possible to allow interrupts in monitor mode if the state ofthe processor executing the function was not stored. This can only bedone if following an interrupt the function is not resumed. Thus, theproblem of interrupt latency in monitor mode may be addressed byallowing interrupts in monitor mode only of functions that can be safelyrestarted. In this case, following an interrupt in monitor mode, thedata relating to the processing of the function is not stored but isthrown away and the processor is instructed to start processing of thefunction from its beginning once the interrupt has finished. In theabove example this is a simple thing to do as the processor simplyreturns to the point at which it switched to monitor mode. It should benoted that restarting a function is only possible for certain functionsthat can be restarted and still produce repeatable results. If thefunction has changed a state of the processor such that if it wererestarted it would produce a different result then it is not a good ideato restart the function. For this reason, only those functions that aresafely restartable can be interrupted in monitor mode, for otherfunctions the interrupts are disabled.

FIG. 18 illustrates a way of dealing with an interrupt occurring inmonitor mode according to an embodiment of the present invention. An SMIoccurs during processing of task A in a non-secure mode and thisswitches the processor to monitor mode. The SMI instruction makes thecore enter the Monitor mode through a dedicated non-secure SMI vector.The current state of the PC is saved, the s bit is set and interruptsare disabled. Generally, LR_mon and SPSR_mon are used to save the PC andCPSR of the non secure mode.

A function, function C is then initiated in monitor mode. The firstthing function C does is to enable the interrupts, function C is thenprocessed. If an interrupt occurs during the processing of function C,the interrupts are not disabled so the interrupt is accepted andperformed. However, the monitor mode indicator indicates to theprocessor that following an interrupt, the function is not to beresumed, but rather restarted. Alternatively, this may be indicated tothe processor by a separate control parameter. Thus, following aninterrupt the interrupt exception vectors are updated with the values ofLR_mon and SPSR_mon and the current state of the processor is notstored.

As is shown in FIG. 18 following completion of the interrupt task, taskB, the processor reads the address of the SMI instruction which has beencopied to the interrupt register and performs an SMI and starts toprocess function C again.

The above process only works if function C is restartable, that is tosay if restarting process C will result in repeatable processing steps.This will not be the case if function C has changed any of the states ofthe processor such as the stack pointer that may affect its futureprocessing. A function that is repeatable in this way is said to haveidempotence. One way of dealing with the problem of a function nothaving idempotence is to rearrange the code defining the function insuch a way that the first portion of the code has idempotence and onceit is no longer possible to arrange the code to have idempotenceinterrupts are disabled. For example, if code C involves writing to thestack, it may be possible to do so without updating the stack pointer atleast at first. Once it is decided that the code can no longer feasiblybe safely restarted, then the code for function C can instruct theprocessor to disable interrupts and then it can update the stack pointerto the correct position. This is shown in FIG. 18 where interrupts aredisabled a certain way through the processing of function C.

FIG. 19 illustrates a slightly different example. In this example, acertain way through the processing of task C, a further controlparameter is set. This indicates that the following portion of task C isnot strictly idempotent, but can be safely restarted provided that afix-up routine is run first. This fix-up routine acts to restore a stateof the processor to how it was at the start of task C, such that task Ccan be safely restarted and produce the same processor state at the endof the task as it would have done had it not been interrupted. In someembodiments at the point that the further control parameter is setinterrupts may be disabled for a short while while some states of theprocessor are amended such as the stack pointer being updated. Thisallows the processor to be restored to an idempotent state later.

When an interrupt occurs after the further control parameter has beenset, then there are two possible ways to proceed. Either the fix-uproutine can be performed immediately (at F1) and then the interrupt canbe processed, or the interrupt can be processed immediately andfollowing completion of the interrupt, the SMI is executed and thenprior to restarting task C the fix-up routine is performed (at F2). Ascan be seen, in both of these embodiments the fix-up routine isperformed in monitor mode, and thus execution in the non-secure domain,which is not aware of the secure domain or of the monitor mode is notaffected.

As can be seen from FIG. 19, a first portion of code C has idempotenceand can be restarted following an interrupt. A second portion isrestartable provided a fix-up routine is run first, and this isindicated by setting a “further” control parameter, and a final portionof the code cannot be restarted and thus, interrupts are disabled beforethis code is processed.

FIG. 20 illustrates an alternative example, in this case, which isdifferent to other embodiments, interrupts are enabled during themonitor mode. Functions running in the monitor mode then act to disableinterrupts as soon as they are no longer safely restartable. This isonly possible if all functions interrupted in monitor mode are restartedrather than resumed.

There are several ways that it can be ensured that all functions runningin a certain mode are restarted rather than resumed when interrupted.One way is by adding a new processor state in which interrupts save theaddress of the start of the instruction sequence rather than the addressof the interrupted instruction. In this case monitor mode would thenalways be run in this state. An alternative way is by preloading theaddress of the start of a function to the interrupt exception registerat the start of each function and disabling subsequent writing of thestate of the processor following interrupt to interrupt exceptionregisters.

In the embodiment illustrated in FIG. 20 restarting of the functions maybe done immediately following termination of the interrupt function orit may be done following a fix-up routine, if that is required to makethe function safely restartable.

Although the above described way of dealing with interrupt latency hasbeen described with respect to a system having secure and non-securedomains and a monitor mode, it is clearly applicable to any system whichhas functions that should not be resumed for a particular reason.Generally such functions operate by disabling interrupts which increaseinterrupt latency. Amending the functions to be restartable andcontrolling the processor to restart them following an interrupt allowsthe interrupts to be enabled for at least a portion of the processing ofthe function and helps reduce interrupt latency. For example normalcontext switching of an operating system.

Access to Secure and Non-Secure Memory

As described with reference to FIG. 1, the data processing apparatus hasmemory, which includes, inter alia, the TCM 36, cache 38, ROM 44, memoryof slave devices and external memory 56. As described with reference toFIG. 37 for example, memory is partitioned into secure and non-securememory. It will be appreciated that there will not typically be anyphysical distinction between the secure memory regions and non-securememory regions of the memory at the time of fabrication, but that theseregions will instead be defined by a secure operating system of the dataprocessing apparatus when operating in the secure domain. Hence, anyphysical part of the memory device may be allocated as secure memory,and any physical part may be allocated as non-secure memory.

As described with reference to FIGS. 2 to 5, the processing system has asecure domain and a non-secure domain. In the secure domain, a securekernel program 80 is provided and which executes in a secure mode. Amonitor program 72 is provided which straddles the secure and non-securedomains and which executes at least partly in a monitor mode. Inembodiments of the invention the monitor program executes partly in themonitor mode and partly in a secure mode. As shown in for example FIG.10, there are a plurality of secure modes including, inter alia, asupervisor mode SVC.

The monitor program 72 is responsible for managing all changes betweenthe secure and non-secure domains in either direction. Some of itsfunctions are described with reference to FIGS. 8 and 9 in the section‘Processor Modes’. The monitor program is responsive to a mode switchingrequest SMI issued in the non-secure mode to initiate a switch from thesaid non-secure mode to the said secure mode and to a mode switchingrequest SMI issued in the secure mode to initiate a switch from the saidsecure mode to the said non-secure mode. As described in the section‘Switching between worlds’, in the monitor mode, switching takes placeswitching at least some of the register from one of the secure andnon-secure domains to the other. That involves saving the state of aregister existing in one domain and writing a new state to the register(or restoring a previously saved state in the register) in the otherdomain. As also described herein access to some registers may bedisabled when performing such a switch. Preferably, in monitor mode allinterrupts are disabled.

Because the monitor mode in which the monitor program executes straddlesthe secure and non-secure domains it is important that the monitorprogram is provably secure: that is it implements only those functionsit is intended to implement. It is thus advantageous if the monitorprogram is a simple as possible. The secure modes allow processes toexecute only in the secure domain. In this embodiment of the presentinvention, the privileged secure mode(s) and the monitor mode allowsaccess to the same secure and non-secure memory. By ensuring that theprivileged secure models) ‘see’ the same secure and non-secure memory,functions which could otherwise only be implemented in the monitor modeare transferred to the secure mode allowing simplification of themonitor program. In addition, this allows a process operating in aprivileged secure mode to switch directly to monitor mode and viceversa. A switch from a privileged secure mode to the monitor mode ispermitted and in the monitor mode a switch to the non-secure domain maybe made. Non-privileged secure modes must use an SMI to enter themonitor mode. The system enters the privileged secure mode following areset. Switches between the monitor mode and the privileged secure modeand back are made to facilitate state saving when moving betweendomains.

In other embodiments access to the S flag may be allowed from withinsecure privileged modes as well as from within the monitor mode. Ifsecure privileged modes are allowed to switch the processor into monitormode whilst maintaining control of the program flow, then such secureprivileged modes already effectively have the ability to change the Sflag (bit). Thus, the additional complexity of providing that the S flagcan only be changed within the monitor mode is not justified. The S flagcan instead be stored in the same way as other configuration flags whichmay be changed by one or more secure privileged modes. Such embodimentswhere the S flag may be changed within one of more secure privilegedmodes are included within the current techniques.

Returning to the previously discussed example embodiment, the apparatushas a processor core 10 which defines the modes and defines theprivilege levels of the modes; i.e. the set of functions which any modeallows. Thus the processor core 10 is arranged in known manner to allowthe secure modes and the monitor mode access to secure and non-securememory and the secure modes access to all memory to which the monitormode allows access and to allow a process operating in any privilegedsecure mode to switch directly to monitor mode and vice versa. Theprocessor core 10 is preferably arranged to allow the following.

In one example of the apparatus, the memory is partitioned into securememory and non-secure memory, and both secure and non-secure memory isaccessible only in the monitor and secure modes. Preferably, thenon-secure memory is accessible in monitor mode, a secure mode and anon-secure mode.

In another example of the apparatus, in the monitor mode and one or moreof the secure modes, access to the non-secure memory is denied to thesecure mode; and in non-secure mode access to the non-secure memory isdenied to the secure and monitor modes. Thus secure memory is accessedonly in monitor and secure modes and non-secure memory is accessed onlyby non-secure modes increasing security.

In examples of the apparatus, resetting or booting of the apparatus maybe performed in the monitor mode which may be regarded as a mode whichis more privileged than a secure mode, privileged mode. However, in manyexamples of the apparatus are arranged to provide resetting or bootingin a secure mode which is possible because of the direct switchingallowed between the secure mode and the monitor mode.

As described with reference to FIG. 2, in the secure domain, and in asecure mode, a secure kernel 80 (or operating system) functions, and oneor more secure application programs 82, 84 may be run under the securekernel 80. The secure kernel and/or the secure application program orany other program code running in a secure mode is allowed access toboth secure and non-secure memory.

Whilst examples of this invention have been described with reference toapparatus having a processor, the invention may be implemented by acomputer program which when run on a suitable processor configure s theprocessor to operate as described in this section.

A description of an alternative embodiment(s) of the present techniqueconsidered from a programmer's model view is given below in relation toFIGS. 21 to 23 as follows:

In the following description, we will use the following terms that mustbe understood in the context of an ARM processor as designed by ARMLimited, of Cambridge, England.

-   -   S bit: Secure state bit, contained in a dedicated CP15 register.    -   ‘Secure/Non-Secure state’. This state is defined by the S bit        value. It indicates whether the core may access the Secure world        (when it is in Secure state, i.e. S=1) or is restricted to the        Non-secure world only (S=0). Note that the Monitor mode (see        further) overrides the S bit status.    -   ‘Non-Secure World’ groups all hardware/software accessible to        non-secure applications that do not require security.    -   ‘Secure World’ groups all hardware/software (core, memory . . .        ) that is only accessible when we execute secure code.    -   Monitor mode: new mode that is responsible for switching the        core between the Secure and Non-secure state.

As a brief summary

-   -   The core can always access the Non-secure world.    -   The core can access the Secure world only when it is in Secure        state or Monitor mode.    -   SMI: Software Monitor Interrupt: New instruction that will make        the core enter the Monitor mode through a dedicated SMI        exception vector. ‘Thread ID’: is the identifier associated to        each thread (controlled by an OS). For some types of OS where        the OS runs in non-secure world, each time a secure function is        called, it will be necessary to pass as a parameter the current        thread ID to link the secure function to its calling non-secure        application. The secure world can thus support multi-threads.    -   Secure Interrupt defines an interrupt generated by a Secure        peripheral.

Programmer's Model

Carbon Core Overview

The concept of the Carbon architecture, which is the term used hereinfor processors using the present techniques, consists in separating twoworlds, one secure and one non-secure. The secure world must not leakany data to non-secure world.

In the proposed solution, the secure and non-secure states will sharethe same (existing) register bank. As a consequence, all current modespresent in ARM cores (Abort, Undef, Irq, User, . . . ) will exist ineach state.

The core will know it operates in secure or non-secure state thanks to anew state bit, the S (secure) bit, instantiated in a dedicated CP15register.

Controlling which instruction or event is allowed to modify the S bit,i.e. to change from one state to the other, is a key feature of thesecurity of the system. The current solution proposes to add a new mode,the Monitor mode, that will “supervise” switching between the twostates. The Monitor mode, by writing to the appropriate CP15 register,would be the only one allowed to alter the S bit.

Finally, we propose to add some flexibility to the exception handling.All exceptions, apart from the reset, would be handled either in thestate where they happened, or would be directed to the Monitor mode.This would be left configurable thanks to a dedicated CP15 register.

The details of this solution are discussed in the following paragraphs.

Processor State and Modes

Carbon New Features

Secure or Non-Secure State (S Bit)

One major feature of the Carbon core is the presence of the S bit, whichindicates whether the core is in a Secure (S=1) or Non-secure (S=0)state. When in Secure state, the core would be able to access any datain the Secure or Non-secure worlds. When in Non-Secure state, the corewould be restricted to the Non-secure world only.

The only exception to this rule concerns the Monitor mode, whichoverrides the S bit information. Even when S=0, the core will performSecure privileged accesses when it is in Monitor mode. See nextparagraph, Monitor mode, for further information.

The S bit can only be read and written in Monitor mode. Whatever the Sbit value, if any other mode tries to access it, this will be eitherignored or result in an Undefined exception.

All exceptions, apart from Reset, have no effect on the Secure statebit. On Reset, the S bit will be set, and the core will start inSupervisor mode. Refer to the boot section for detailed information.

Secure/Nonsecure states are separate and operate independently of theARM/Thumb/Java states.

Monitor Mode

One other important feature of the Carbon system is the creation of anew mode, the Monitor mode. This will be used to control the coreswitching between the Secure and Non-secure states. It will always beconsidered as a secure mode, i.e. whatever the value of the S bit, thecore will always perform Secure Privileged accesses to the externalworld when it is in Monitor mode.

Any Secure privileged mode (i.e. privileged modes when S=1) would beable to switch to Monitor mode by simply writing the CPSR mode bits(MSR, MOVS, or equivalent instruction). However, this would be forbiddenin any Non-secure mode or Secure user mode. If this ever happens, theinstruction would be ignored or cause an exception.

There may be a need for a dedicated CPSR violation exception. Thisexception would be raised by any attempt to switch to Monitor mode bydirectly writing the CPSR from any Non-secure mode or Secure user mode.

All exceptions except Reset are in effect disabled when Monitor mode isactive:

-   -   all interrupts are masked;    -   all memory exceptions are either ignored or cause a fatal        exception.    -   undefined/SWI/SMI are ignored or cause a fatal exception.

When entering Monitor mode, the interrupts are automatically disabledand the system monitor should be written such that none of the othertypes of exception can happen while the system monitor is running.

Monitor mode needs to have some private registers. This solutionproposes that we only duplicate the minimal set of registers, i.e R13(sp_mon), R14 (Ir_mon) and SPSR (spsr_mon).

In Monitor mode, the MMU will be disabled (flat address map) as well asthe MPU or partition checker (the Monitor mode will always performsecure privileged external accesses). However, specially programmed MPUregion attributes (cacheability, . . . ) would still be active. As analternative the Monitor mode may use whatever mapping is used by thesecure domain.

New Instruction

This proposal requires adding one new instruction to the existing ARMinstruction set.

The SMI (Software Monitor Interrupt) instruction would be used to enterthe Monitor mode, branching at a fixed SMI exception vector. Thisinstruction would be mainly used to indicate to the Monitor to swapbetween the Non-secure and Secure State.

As an alternative (or in addition) it would be possible to add a newinstruction to allow the Monitor mode to save/restore the state of anyother mode onto/from the Monitor stack to improve context switchingperformance.

Processor Modes

As discussed in the previous paragraph, only one new mode is added inthe core, the Monitor mode. All existing modes remain available, andwill exist both in the secure and non-secure states.

In fact, Carbon users will see the structure illustrated in FIG. 21.

Processor Registers

This embodiment proposes that the secure and the non-secure worlds sharethe same register bank. This implies that, when switching from one worldto the other through the Monitor mode, the system monitor will need tosave the first world context, and create (or restore) a context in thesecond world.

Passing parameters becomes an easy task: any data contained in aregister in the first world will be available in the same register inthe second world once the system monitor has switched the S bit.

However, apart from a limited number of registers dedicated to passingparameters, which will need to be strictly controlled, all otherregisters will need to be flushed when passing from Secure to Non-securestate in order to avoid any leak of Secure data. This will need to beensured by the Monitor kernel.

The possibility of implementing a hardware mechanism or a newinstruction to directly flush the registers when switching from Secureto Non-secure state is also a possibility.

Another solution proposed involves duplicating all (or most of) theexisting register bank, thus having two physically separated registerbanks between the Secure and Non-secure state. This solution has themain advantage of clearly separating the secure and non-secure datacontained in the registers. It also allows fast context switchingbetween the secure and non-secure states. However, the drawback is thatpassing parameters through registers becomes difficult, unless we createsome dedicated instructions to allow the secure world access thenon-secure registers

FIG. 22 illustrates the available registers depending on the processormode. Note that the processor state has no impact on this topic.

Exceptions

Secure Interrupts

Current Solution

It is currently proposed to keep the same interrupt pins as in thecurrent cores, i.e. IRQ and FIQ. In association with the Exception TrapMask register (defined later in the document), there should besufficient flexibility for any system to implement and handle differentkind of interrupts.

VIC Enhancement

We could enhance the VIC (Vectored Interrupt Controller) in thefollowing way: the VIC may contain one Secure information bit associatedto each vectored address. This bit would be programmable by the Monitoror Secure privileged modes only. It would indicate whether theconsidered interrupt should be treated as Secure, and thus should behandled on the Secure side.

We would also add two new Vector Address registers, one for all SecureInterrupts happening in Non-Secure state, the other one for allNon-Secure interrupts happening in Secure state.

The S bit information contained in CP15 would be also available to theVIC as a new VIC input.

The following table summarizes the different possible scenarios,depending on the status of the incoming interrupt (Secure or Non-secure,indicated by the S bit associated to each interrupt line) and the stateof the core (S bit in CP15=S input signal on the VIC). Core in securestate Core in Non-secure state (CP15 − S = 1) (CP15 − S = 0) Secure Noneed to switch between worlds. The VIC has no Vector associatedInterrupt The VIC directly presents to the core the to this interrupt inthe Non-secure Secure address associated to the interrupt line. domain.It thus presents to the core The core simply has to branch at thisaddress the address contained in the Vector where it should find theassociated ISR. address register dedicated to all Secure interruptsoccurring in Non- secure world. The core, still in Non- secure world,then branches to this address, where it should find an SMI instructionto switch to Secure world. Once in Secure world, it would be able tohave access to the correct ISR. Non- The VIC has no Vector associated tothis No need to switch between worlds. Secure interrupt in the Securedomain. It thus The VIC directly presents to the Interrupt presents tothe core the address contained in core the Non-secure address the Vectoraddress register dedicated to all associated to the interrupt line. TheNon-secure interrupts occurring in Secure core simply has to branch atthis world. The core, still in Secure world, then address where itshould find the branches to this address, where it should findassociated Non-secure ISR. an SMI instruction to switch to Non-secureworld. Once in Non-secure world, it would be able to have access to thecorrect ISR.

Exception Handling Configurability

In order to improve Carbon flexibility, a new register, the ExceptionTrap Mask, would be added in CP15. This register would contain thefollowing bits: Bit 0: Undef exception (Non-secure state) Bit 1: SWIexception (Non-secure state) Bit 2: Prefetch abort exception (Non-securestate) Bit 3: Data abort exception (Non-secure state) Bit 4: IRQexception (Non-secure state) Bit 5: FIQ exception (Non-secure state) Bit6: SMI exception (both Non-secure/Secure states) Bit 16: Undef exception(Secure state) Bit 17: SWI exception (Secure state) Bit 18: Prefetchabort exception (Secure state) Bit 19: Data abort exception (Securestate) Bit 20: IRQ exception (Secure state) Bit 21: FIQ exception(Secure state)

The Reset exception does not have any corresponding bit in thisregister. Reset will always cause the core to enter the Securesupervisor mode through its dedicated vector.

If the bit is set, the corresponding exception makes the core enter theMonitor mode. Otherwise, the exception will be handled in itscorresponding handler in the world where it occurred.

This register would only be visible in Monitor mode. Any instructiontrying to access it in any other mode would be ignored.

This register should be initialized to a system-specific value,depending upon whether the system supports a monitor or not. Thisfunctionality could be controlled by a VIC.

Exception Vectors Tables

As there will be separate Secure and Non-secure worlds, we will alsoneed separate Secure and Non-secure exception vectors tables.

Moreover, as the Monitor can also trap some exceptions, we may also needa third exception vectors table dedicated to the Monitor.

The following table summarizes those three different exception vectorstables:

In Non-Secure Memory: Automatically Address Exception Mode accessed when0x00 — — 0x04 Undef Undef Undefined instruction executed when core is inNon-Secure state and Exception Trap Mask reg [Non-secure Undef] = 0 0x08SWI Supervisor SWI instruction executed when core is in Non-Secure stateand Exception Trap Mask reg [Non-secure SWI] = 0 0x0C Prefetch AbortAborted instruction when core Abort is in Non-Secure state and ExceptionTrap Mask reg [Non-secure PAbort] = 0 0x10 Data Abort Aborted data whencore is in Abort Non-Secure state and Exception Trap Mask reg[Non-secure DAbort] = 0 0x14 Reserved 0x18 IRQ IRQ IRQ pin asserted whencore is in Non-Secure state and Exception Trap Mask reg [Non-secure IRQ]= 0 0x1C FIQ FIQ FIQ pin asserted when core is in Non-Secure state andException Trap Mask reg [Non-secure FIQ] = 0

In Secure Memory: Address Exception Mode Automatically accessed when0x00 Reset* Supervisor Reset pin asserted 0x04 Undef Undef Undefinedinstruction executed when core is in Secure state and Exception TrapMask reg [Secure Undef] = 0 0x08 SWI Supervisor SWI instruction executedwhen core is in Secure state and Exception Trap Mask reg [Secure SWI] =0 0x0C Prefetch Abort Aborted instruction when Abort core is in Securestate and Exception Trap Mask reg [Secure PAbort] = 0 0x10 Data AbortAborted data when core is in Abort Secure state and Exception Trap Maskreg [Secure Dabort] = 0 0x14 Reserved 0x18 IRQ IRQ IRQ pin asserted whencore is in Secure state and Exception Trap Mask reg [Secure IRQ] = 00x1C FIQ FIQ FIQ pin asserted when core is in Secure state and ExceptionTrap Mask reg [Secure FIQ] = 0*Refer to “Boot” section for further explanation on the Reset mechanism

In Monitor Memory (Flat Mapping): Address Exception Mode Automaticallyaccessed when 0x00 — — — 0x04 Undef Monitor Undefined instructionexecuted when Core is in Secure state and Exception Trap Mask reg[Secure Undef] = 1 Core is in Non- secure state and Exception Trap Maskreg [Non-secure Undef] = 1 0x08 SWI Monitor SWI instruction executedwhen Core is in Secure state and Exception Trap Mask reg [Secure SWI] =1 Core is in Non- secure state and Exception Trap Mask reg [Non-secureSWI] = 1 0x0C Prefetch Monitor Aborted instruction when Core is Abort inSecure state and Exception Trap Mask reg [Secure IAbort] = 1 Core is inNon-secure state and Exception Trap Mask reg [Non- secure Iabort] = 10x10 Data Monitor Aborted data when Core is in Abort Secure state andException Trap Mask reg [Secure PAbort] = 1 Core is in Non-secure stateand Exception Trap Mask reg [Non- secure Pabort] = 1 0x14 SMI Monitor0x18 IRQ Monitor IRQ pin asserted when core is in Secure state andException Trap Mask reg [Secure IRQ] = 1 core is in Non-secure state andException Trap Mask reg [Non- secure IRQ] = 1 0x1C FIQ Monitor FIQ pinasserted when core is in Secure state and Exception Trap Mask reg[Secure FIQ] = 1 core is in Non-secure state and Exception Trap Mask reg[Non- secure FIQ] = 1

In Monitor mode, the exceptions vectors may be duplicated, so that eachexception will have two different associated vector:

-   -   One for the exception arising in Non-secure state    -   One for the exception arising in Secure state

This may be useful to reduce the exception latency, because the monitorkernel does not have any more the need to detect the originating statewhere the exception occurred.

Note that this feature may be limited to a few exceptions, the SMI beingone of the most suitable candidates to improve the switching between theSecure and Non-secure states.

Switching Between Worlds

When switching between states, the Monitor mode must save the context ofthe first state on its Monitor stack, and restore the second statecontext from the Monitor stack.

The Monitor mode thus needs to have access to any register of any othermodes, including the private registers (r14, SPSR, . . . ).

To handle this, the proposed solution consists in giving any privilegemode in Secure state the rights to directly switch to Monitor mode bysimply writing the CPSR.

With such a system, switching between worlds is performed as follows:

-   -   enter Monitor mode    -   set the S bit    -   switch to supervisor mode—save the supervisor registers on the        MONITOR stack (of course the supervisor mode will need to have        access to the Monitor stack pointer, but this can be easily        done, for example by using a common register (R0 to R8))    -   switch to System mode—save the registers (=same as the user        mode) on the Monitor stack    -   IRQ registers on the Monitor stack etc . . . for all modes        -   Once all private registers of all modes are saved, revert to            Monitor mode with a simple MSR instruction (=simply write            Monitor value in the CPSR mode field)

The other solutions have also been considered:

-   -   Add a new instruction that would allow the Monitor to save other        modes' private registers on its own stack.    -   Implement the Monitor as a new “state”, i.e. being able to be in        Monitor state (to have the appropriate access rights) and in IRQ        (or any other) mode, to see the IRQ (or any other) private        registers.

Basic Scenario (See FIG. 23)

-   1. Thread 1 is running in non-secure world (S bit=0)    -   This thread needs to perform a secure function =>SMI        instruction.-   2. The SMI instruction makes the core enter the Monitor mode through    a non-secure SMI vector.    -   LR_mon and SPSR_mon are used to save the PC and CPSR of the non        secure mode.    -   At this stage the S bit remains unchanged, although the system        is now in a secure state.    -   The monitor kernel saves the non-secure context on the monitor.    -   It also pushes LR_mon and SPSR_mon.    -   The monitor kernel then changes the “S” bit by writing into the        CPI 5 register.    -   In this embodiment the monitor kernel keeps track that a “secure        thread 1” will be started in the secure world (e.g. by updating        a Thread ID table).    -   Finally, it exits the monitor mode and switches to secure        supervisor mode (MOVS instruction after having updated LR_mon        and SPSR_mon?).-   3. The secure kernel dispatches the application to the right secure    memory location, then switches to user mode (e.g. using a MOVS).-   4. The secure function in executed in secure user mode. Once    finished, it calls an “exit” function by performing an appropriate    SWI.-   5. The SWI instruction makes the core enter the secure svc mode    through a dedicated SWI vector, that in turn performs the “exit”    function. This “exit” function ends with an “SMI” to switch back to    monitor mode.-   6. The SMI instruction makes the core enter the monitor mode through    a dedicated secure SMI vector.    -   LR_mon and SPSR_mon are used to save the PC and CPSR of the        Secure svc mode.    -   The S bit remains unchanged (i.e. Secure State).    -   The monitor kernel registers the fact that secure thread I is        finished (removes the secure thread 1 ID from the thread ID        table?).    -   It then changes the “S” bit by writing into the CP15 register,        returning to non-secure state.    -   The monitor kernel restores the non-secure context from the        monitor stack.    -   It also load the LR_mon and CPSR_mon previously saved in step 2.    -   Finally, it exits monitor mode with a SUBS, that will make the        core return in non-secure user mode, on the instruction-   7. Thread 1 can resume normally.

Referring to FIG. 6, all of the registers are shared between the secureand non-secure domains In monitor mode, switching takes place switchingthe registers from one of the secure and non-secure domains to theother. That involves saving the state of a register existing in onedomain and writing a new state to the register (or restoring apreviously saved state in the register) in the other domain as is alsodescribed in the section ‘Switching between Worlds’ above.

It is desirable to reduce the time taken to perform this switch. Toreduce the time taken to perform the switch, the shared registers aredisabled when switching between the secure and non-secure domainsretaining unchanged the data values stored therein. For example,consider a switch from the non-secure domain to the secure domain.Assume that for example the FIQ registers shown in FIG. 6 are not neededin the secure world. Thus, those registers are disabled and there is noneed to switch them to the secure domain and there is no need to savethe contents of those registers.

Disabling of the registers may be achieved in several ways. One way isto lock out the mode which uses those registers. That is done by writinga control bit in a CP15 register indicating the disabling of that mode.

Alternatively, access to the registers may be disabled on an instructionby instruction basis again by writing control bits in a CP15 register.The bits written in the CP15 register relate explicitly to the register,not the mode, so the mode is not disabled but access to the register inthe mode is disabled.

The FIQ registers store data associated with a fast interrupt. If theFIQ register(s) are disabled and a fast interrupt occurs, the processorsignals an exception in the monitor. In response to an exception, themonitor mode is operable to save any data values associated with onedomain and stored in the said disabled register and to load into thatregister new data values associated with the other domain and thenre-enable the FIQ mode registers.

The processor may be arranged so that when in the monitor mode allbanked registers are disabled when the processor switches domains.Alternatively, the disabling of the registers may be selective in thatsome predetermined ones of the shared registers are disabled whenswitching domains and others may be disabled at the choice of theprogrammer.

The processor may be arranged so that when switching domains in themonitor mode, one or more of the shared registers are disabled, and oneor more others of the shared registers have their data saved whenexisting one domain, and have new data loaded in the other domain. Thenew data may be null data.

FIG. 24 schematically illustrates the concept of adding a secureprocessing option to a traditional ARM core. The diagram schematicallyshows how a processor that contains a secure processing option can beformed by adding a secure processing option to an existing core. If thesystem is to be backwards compatible with an existing legacy operatingsystem, it is intuitive to think of the legacy system operating in thetraditional non-secure part of the processor. However, as is shownschematically in the lower part of the Figure and is detailed furtherbelow, it is in fact in the secure portion of the system that a legacysystem operates.

FIG. 25 shows a processor having a secure and non-secure domain andillustrating reset and is similar to FIG. 2. FIG. 2 illustrates aprocessor that is adapted to run a security sensitive type of operationwith a secure OS system controlling processing in the secure domain anda non-secure OS system controlling processing in the non-secure domain.The processor is however also backwards compatible with a traditionallegacy operating system and thus, the processor may operate in asecurity insensitive way using a legacy operating system.

As is shown in FIG. 25, the reset is in the secure domain, and whateverthe type of operation reset occurs here with the S-bit or securitystatus flag set. In the case of a security insensitive type ofoperation, reset occurs in the secure domain and processing thencontinues within the secure domain. The legacy operating systemcontrolling processing is however unaware of the security aspects of thesystem.

As is shown in FIG. 25 reset is performed to set the address at which tostart processing within the secure supervisor mode whether processing isto be secure sensitive or is in fact secure insensitive. Once reset hasbeen performed the additional tasks present in a boot or rebootmechanism are then performed. The boot mechanism is described below.

Boot Mechanism

The boot mechanism must respect the following features:

-   -   Keep compatibility with legacy OSes.    -   Boot in most privileged mode to ensure the security of the        system.

As a consequence, Carbon cores will boot in Secure Supervisor mode.

The different systems will then be:

-   -   For systems wanting to run legacy OSes, the S bit is not taken        into account and the core will just see it boots in Supervisor        mode.    -   For systems wanting to use the Carbon features, the core boots        in Secure privileged mode which should be able to configure all        secure protections in the system (potentially after swapping to        Monitor mode)

With respect to the details of the boot mechanism given above theprocessor of embodiments of the present invention resets the processorto start processing in the secure supervisor mode in all cases. In thecase of a security insensitive type of operation the operating system isin effect operating in the secure domain although security is not herean issue, because the S bit is set (although the operating system isunaware of this). This has the advantage that parts of the memory thatare inaccessible from the non-secure domain are accessible in thissituation.

Booting in secure supervisor mode in all cases is also advantageous insecurity sensitive systems as it helps ensure the security of thesystem. In secure sensitive systems, the address provided at boot pointsto where the boot program is stored in secure supervisor mode and thus,enables the system to be configured as a secure system and to switch tomonitor mode. Switching from secure supervisor mode to monitor mode isallowed in general and enables the secure system at an appropriate timeto start processing in monitor mode to initialise monitor modeconfiguration.

FIG. 26 illustrates at step 1 a non-secure thread NSA being executed bya non-secure operating system. At step 2 the non-secure thread NSA makesa call to the secure domain via the monitor mode running a monitor modeprogram at step 3. The monitor mode program changes the S-bit to switchdomain and performs any necessary context saving and context restoringprior to moving to the secure operating system at step 5. Thecorresponding secure thread SA is then executed before it is subject toan interrupt irq at step 6. The interrupt handling hardware triggers areturn to the monitor mode at step 7 where it is determined as towhether the interrupt will be handled by the secure operating system orthe non-secure operating system. In this case, the interrupt is handledby the non-secure operating system starting at step 9. When thisinterrupt has been handled by the non-secure operating system, thenon-secure thread NSA is resumed as the current task in the non-secureoperating system prior to a normal thread switching operation at step11. This thread switching may be the result of a timing event or thelike. A different thread NSB is executed in the non-secure domain by thenon-secure operating system at step 12 and this then makes a call to thesecure domain via the monitor domain/program at step 14. The monitorprogram at step 7 has stored a flag, used some other mechanism, toindicate that the secure operating system was last suspended as a resultof an interrupt rather than having been left because a secure thread hadfinished execution or due to a normal request to leave. Accordingly,since the secure operating system was suspended by an interrupt, themonitor program at step 15 re-enters the secure operating system using asoftware faked interrupt which specifies a return thread ID (e.g. anidentifier of the thread to be started by the secure operating system asrequested by the non-secure thread NSB, as well as other parameterdata). These parameters of the software faked interrupt may be passed asregister values.

The software faked interrupt triggers a return interrupt handler routineof the secure operating system at step 15. This return interrupt handlerroutine examines the return thread ID of the software faked interrupt todetermine whether or not this matches the thread ID of the secure threadSA which was interrupted the last time the secure operating system wasexecuted prior to its suspension. In this case, there is not a match andaccordingly at step 16 the secure operating system is triggered toperform a thread switch to the return thread as specified by thenon-secure thread NSB after the context of the secure thread SA has beensaved. The secure thread SA can then later be restarted from the pointat which it was interrupted as required.

FIG. 27 schematically illustrates another example of the type ofbehaviour illustrated in FIG. 26. In this example whilst processingproceeds under control of the non-secure operating system to handle theirq, there is no non-secure thread switch and accordingly when thesoftware faked interrupt is received by the return interrupt handler ofthe secure operating system it determines that no thread switch isrequired and simply resumes the secure thread SA at step 15.

FIG. 28 is a flow diagram schematically illustrating the processingperformed by the return thread handler. At step 4002 the return threadhandler is started. At step 4004 the return thread identifier from thesoftware faked interrupt is examined and compared with the currentlyexecuting secure thread when the secure operating system was suspended.If these match, then processing proceeds to step 4006 at which thesecure thread is resumed. If the comparison at step 4004 is not matched,then processing proceeds to step 4008 at which the context of the oldsecure thread is saved, (for subsequent resumption) prior to a switchbeing made to the new secure thread at step 4010. The new thread mightalready be under way and so step 4010 is a resumption.

FIG. 29 schematically illustrates processing whereby a slave secureoperating system may follow task switches performed by a masternon-secure operating system. The master non-secure operating system maybe a legacy operating system with no mechanisms for communicating andco-ordinating its activities to other operating systems and accordinglyoperate only as a master. As an initial entry point in FIG. 29 thenon-secure operating system is executing a non-secure thread NSA. Thisnon-secure thread NSA makes a call to a secure thread which is to beexecuted by the secure operating system using a software interrupt, anSMI call. The SMI call goes to a monitor program executing in a monitormode at step 2 whereupon the monitor program performs any necessarycontext saving and switching before passing the call onto the secureoperating system at step 4. The secure operating system then starts thecorresponding secure thread SA. This secure thread may return controlvia the monitor mode to the non-secure operating system, such as as aresult of a timer event or the like. When the non-secure thread NSAagain passes control to the secure operating system at step 9 it does soby reissuing the original software interrupt. The software interruptincludes the non-secure thread ID identifying NSA, the secure thread IDof the target secure thread to be activated, i.e. the thread IDidentifying secure thread SA as well as other parameters.

When the call generated at step 9 is passed on by the monitor programand received at step 12 in the secure domain by the secure operatingsystem, the non-secure thread ID can be examined to determine whether ornot there has been a context switch by the non-secure operating system.The secure thread ID of the target thread may also be examined to seethat the correct thread under the secure operating system is restartedor started as a new thread. In the example of FIG. 29, no thread switchis required in the secure domain by the secure operating system.

FIG. 30 is similar to FIG. 29 except that a switch in thread occurs atstep 9 in the non-secure domain under control of the non-secureoperating system. Accordingly, it is a different non-secure thread NSBwhich makes the software interrupt call across to the secure operatingsystem at step 11. At step 14, the secure operating system recognisesthe different thread ID of the non-secure thread NSB and accordinglyperforms a task switch involving saving the context of the secure threadSA and starting the secure thread SB.

FIG. 31 is a flow diagram schematically illustrating processingperformed by the secure operating system when receiving a softwareinterrupt as a call to start a thread or resume a thread of the secureoperating system. At step 4012 the call is received. At step 4014 theparameters of the call are examined to determine if they match thecurrently active secure thread upon the secure operating system. If amatch occurs, then this secure thread is restarted at step 4016. If amatch does not occur, then processing proceeds to step 4018 where adetermination is made as to whether or not the newly requested thread isavailable. The newly requested thread might be unavailable due to areason such as it being or requiring an exclusive resource which isalready in use by some other thread executing on a secure operatingsystem. In such a case, the call is rejected at step 4020 with anappropriate message being returned to the non-secure operating system.If the determination at step 4018 is that the new thread is available,then processing proceeds to step 4022 at which the context of the oldsecure thread is saved for possible later resumption. At step 4024 aswitch is made to the new secure thread as specified in the softwareinterrupt call made to the secure operating system.

FIG. 32 schematically illustrates operation whereby a priority inversionmay occur when handling interrupts within a system having multipleoperating systems with different interrupts being handled by differentoperating systems.

Processing starts with the secure operating system executing a securethread SA. This is then interrupted by a first interrupt Int1. Thistriggers the monitor program within the monitor mode to determinewhether or not the interrupt is to be handled in the secure domain orthe non-secure domain. In this case, the interrupt is to be handled inthe secure domain and processing is returned to the secure operatingsystem and the interrupt handling routine for interrupt Int1 is started.Partway through execution of the interrupt handling routine for Int1, afurther interrupt Int2 is received which has a higher priority. Thus,the interrupt handler for Int1 is stopped and the monitor program in themonitor mode used to determine where the interrupt Int2 is to behandled. In this case the interrupt Int2 is to be handled by thenon-secure operating system and accordingly control is passed to thenon-secure operating system and the interrupt handler for Int2 started.When this interrupt handler for the interrupt Int2 has completed, thenon-secure operating system has no information indicating that there isa pending interrupt Int1 for which servicing has been suspended in thesecure domain. Accordingly, the non-secure operating system may performsome further processing, such as a task switch or the starting of adifferent non-secure thread NSB, whilst the original interrupt Int1remains unserviced.

FIG. 33 illustrates a technique whereby the problems associated with theoperation of FIG. 32 may be avoided. When the interrupt Int1 occurs, themonitor program passes this to the non-secure domain where a stubinterrupt handler is started. This stub interrupt handler is relativelysmall and quickly returns processing to the secure domain via themonitor mode and triggers an interrupt handler for the interrupt Int1within the secure domain. The interrupt Int1 is primarily processedwithin the secure domain and the starting of the stub interrupt handlerin the non-secure domain can be regarded as a type of placeholder toindicate to the non-secure domain that the interrupt is pending in thesecure domain.

The interrupt handler in the secure domain for the interrupt Int1 isagain subject to a high priority Int2. This triggers execution of theinterrupt handler for the interrupt Int2 in the non-secure domain asbefore. However, in this case, when that interrupt handler for Int2 hasfinished, the non-secure operating system has data indicating that thestub interrupt handler for interrupt Int1 is still outstanding andaccordingly will resume this stub interrupt handler. This stub interrupthandler will appear as if it were suspended at the point at which itmade its call back to the secure domain and accordingly this call willbe re-executed and thus the switch made to the secure domain. Once backin the secure domain, the secure domain can itself re-start theinterrupt handler for the interrupt Int1 at the point at which it wassuspended. When the interrupt handler for the interrupt Int1 hascompleted within the secure domain, a call is made back to thenon-secure domain to close down the stub interrupt handler in thenon-secure domain before the originally executing secure thread SA isresumed.

FIG. 34 schematically illustrates different types of interrupt withtheir associated priorities and how they may be handled. High priorityinterrupts may be handled using purely secure domain interrupt handlersproviding there is no higher priority interrupt that is handled by thenon-secure domain. Once there is an interrupt having a priority higherthan subsequent interrupts and which is handled in the non-securedomain, then all lower interrupts must either be handled purely in thenon-secure domain or utilise the stub interrupt handler techniqueillustrated in FIG. 33 whereby the non-secure domain can keep track ofthese interrupts even though their main handling is occurring within thesecure domain.

As mentioned earlier, the monitor mode is used to perform switchingbetween the secure domain and the non-secure domain. In embodimentswhere registers are shared between the two different domains, thisinvolves saving the state within those registers into memory, and thenloading the new state for the destination domain from memory into thoseregisters. For any registers which are not shared between the twodomains, the state need not be saved away, since those registers willnot be accessed by the other domain, and switching between the states isimplemented as a direct result of switching between the secure andnon-secure domains (i.e. the value of the S bit stored in one of theCP15 registers determines which of the non-shared registers are used).

Part of the state that needs to be switched whilst in the monitor modeis the processor configuration data controlling access to memory by theprocessor. Since within each domain there is a different view of thememory, for example the secure domain having access to secure memory forstoring secure data, this secure memory not being accessible from thenon-secure domain, it is clear that the processor configuration datawill need to be changed when switching between the domains.

As illustrated in FIG. 35, this processor configuration data is storedwithin the CP15 registers 34, and in one embodiment these registers areshared between the domains. Hence, when the monitor mode is switchedbetween the secure domain and the non-secure domain, the processorconfiguration data currently in the CP15 registers 34 needs to beswitched out of the CP15 registers into memory, and processorconfiguration data relating to the destination domain needs to be loadedinto the CP15 registers 34.

Since the processor configuration data in the CP15 registers typicallyhas an immediate effect on the access to memory within the system, thenit is clear that these settings would become immediately effective asthey are updated by the processor whilst operating in the monitor mode.However, this is undesirable since it is desirable for the monitor modeto have a static set of processor configuration data that control accessto memory whilst in monitor mode.

Accordingly, as shown in FIG. 35, in one embodiment of the presentinvention monitor mode specific processor configuration data 2000 isprovided, which can be used to override the processor configuration datain the CP15 registers 34 whilst the processor is operating in themonitor mode. This is achieved in the embodiment illustrated in FIG. 35through the provision of a multiplexer 2010 which receives at its inputsboth the processor configuration data stored in the CP15 registers andthe monitor mode specific processor configuration data 2000.Furthermore, the multiplexer 2010 receives a control signal over path2015 indicating whether the processor is currently operating in themonitor mode or not. If the processor is not operating in the monitormode, then the processor configuration data in the CP15 registers 34 isoutput to the system, but in the event that the processor is operatingin the monitor mode, the multiplexer 2010 instead outputs the monitormode specific processor configuration data 2000 to ensure that aconsistent set of processor configuration data is applied while theprocessor is operating in the monitor mode.

The monitor mode specific processor configuration data can be hard-codedwithin the system, thereby ensuring that it cannot be manipulated.However, it is possible that the monitor mode specific processorconfiguration data 2000 could be made programmable without compromisingsecurity, provided that that monitor mode specific processorconfiguration data could only be modified by the processor whenoperating in a secure privileged mode. This would allow some flexibilityas to the setting of the monitor mode specific processor configurationdata. If the monitor mode specific processor configuration data isarranged to be programmable, that configuration data can be stored inany appropriate place within the system, for example within a separateset of registers within the CP15 registers 34.

Typically, the monitor mode specific processor configuration data willbe set so as to provide a very secure environment for operation of theprocessor in the monitor mode. Hence, in the above-described embodiment,the monitor mode specific processor configuration data may specify thatthe memory management unit 30 is disabled whilst the processor isoperating in the monitor mode, thereby disabling any virtual to physicaladdress translation that might otherwise be applied by the memorymanagement unit. In such a situation, the processor will always bearranged to directly issue physical addresses when issuing memory accessrequests, i.e. flat mapping will be employed. This ensures that theprocessor can reliably access memory whilst operating in the monitormode, irrespective of whether any virtual to physical address mappingshave been tampered with.

The monitor mode specific processor configuration data would alsotypically specify that the processor is allowed to access the securedata whilst the processor is operating in the monitor mode. This ispreferably specified by memory permission data taking the form of adomain status bit, this domain status bit having the same value thatwould be specified for the corresponding domain status bit (“S” bit)within the secure processor configuration data. Hence, irrespective ofthe actual value of the domain status bit stored within the CP15registers, that value will get overridden by the domain status bitspecified by the monitor mode specific processor configuration data, toensure that the monitor mode has access to secure data.

The monitor mode specific processor configuration data may also specifyother data used to control access to parts of the memory. For example,the monitor mode specific processor configuration data may specify thatthe cache 38 is not to be used to access data whilst the processor isoperating in the monitor mode.

In the embodiment described above, it has been assumed that all of theCP15 registers containing processor configuration data are sharedbetween the domains. However, in an alternative embodiment, a number ofthe CP15 registers are “banked”, so that for example there are tworegisters for storing a particular item of processor configuration data,one register being accessible in the non-secure domain and containingthe value of that item of processor configuration data for thenon-secure domain, and the other register being accessible in the securedomain and containing the value of that item of processor configurationdata for the secure domain.

One CP15 register that will not be banked is the one containing the “S”bit, but in principle any of the other CP15 registers may be banked ifdesired. In such embodiments, the switching of the processorconfiguration data by the monitor mode involves switching out of anyshared CP15 registers into memory the processor configuration datacurrently in those shared registers, and loading into those shared CP15registers the processor configuration data relating to the destinationdomain. For any banked registers, the processor configuration data neednot be stored away to memory, and instead the switching will occurautomatically as a result of changing the S bit value stored in therelevant shared CP15 register.

As mentioned earlier, the monitor mode processor configuration data willinclude a domain status bit which overrides that stored in the relevantCP15 register but has the same value as that used for the domain statusbit used in the secure domain (i.e. an S bit value of 1 in the abovedescribed embodiments). When a number of the CP15 registers are banked,this means that at least part of the monitor mode specific processorconfiguration data 2000 in FIG. 35 can be derived from the secureprocessor configuration data stored in banked registers since thoseregisters contents are not written out to memory during the switchingprocess.

Hence, as an example, since the monitor mode specific processorconfiguration data will specify a domain status bit to override thatwhich is otherwise used when not in monitor mode, and in preferredembodiments this has the same value as that used in the secure domain,this means that the logic that selects which of the banked CP15registers are accessible will allow the secure banked CP15 registers tobe accessed. By allowing the monitor mode to use this secure processorconfiguration data as the relevant part of the monitor mode specificprocessor configuration data, a saving in resource can be realised sinceit is no longer necessary to provide a separate set of registers forthose items of monitor mode specific processor configuration data.

FIG. 36 is a flow diagram illustrating the steps performed to switch theprocessor configuration data when a transition between one domain andthe other is required. As mentioned previously, an SMI instruction isissued in order to instigate the transition between domains.Accordingly, at step 2020, the issuance of an SMI instruction isawaited. When an SMI instruction is received, the processor proceeds tostep 2030, where the processor begins running the monitor program inmonitor mode, this causing the monitor mode specific processorconfiguration data to be used as a result of the control signal on path2015 into the multiplexer 2010 causing the multiplexer to switch to thatmonitor mode specific processor configuration data. As mentionedearlier, this can be a self-contained set of data, or certain parts ofit may be derived from the secure processor configuration data stored inbanked registers.

Thereafter, at step 2040, the current state is saved from the domainissuing the SMI instruction into memory, this including saving from anyshared CP15 registers the state of the processor configuration datarelevant to that domain. Typically, there will be a portion of memoryset aside for the storage of such state. Then, at step 2050, the statepointer is switched to point to the portion of memory that contains thecorresponding state for the destination domain. Hence, typically, therewill be two portions of memory allocated for storing state information,one allocated for storing the state for the non-secure domain, and oneallocated for storing the state for the secure domain.

Once the state pointer has been switched at step 2050, that state nowpointed to by the state pointer is loaded into the relevant shared CP15registers at step 2060, this including loading in the relevant processorconfiguration data for the destination domain. Thereafter, at step 2070,the monitor program is exited, as is the monitor mode, and the processorthen switches to the required mode in the destination domain.

FIG. 37 illustrates in more detail the operation of the memorymanagement logic 30 of one embodiment of the present invention. Thememory management logic consists of a Memory Management Unit (MMU) 200and a Memory Protection Unit (MPU) 220. Any memory access request issuedby the core 10 that specifies a virtual address will be passed over path234 to the MMU 200, the MMU 200 being responsible for performingpredetermined access control functions, more particularly fordetermining the physical address corresponding to that virtual address,and for resolving access permission rights and determining regionattributes.

The memory system of the data processing apparatus consists of securememory and non-secure memory, the secure memory being used to storesecure data that is intended only to be accessible by the core 10, orone or more other master devices, when that core or other device isoperating in a secure mode of operation, and is accordingly operating inthe secure domain.

In the embodiment of the present invention illustrated in FIG. 37, thepolicing of attempts to access secure data in secure memory byapplications running on the core 10 in non-secure mode is performed bythe partition checker 222 within the MPU 220, the MPU 220 being managedby the secure operating system, also referred to herein as the securekernel.

In accordance with preferred embodiments of the present invention anon-secure page table 58 is provided within non-secure memory, forexample within a non-secure memory portion of external memory 56, and isused to store for each of a number of non-secure memory regions definedwithin that page table a corresponding descriptor. The descriptorcontains information from which the MMU 200 can derive access controlinformation required to enable the MMU to perform the predeterminedaccess control functions, and accordingly in the embodiment describedwith reference to FIG. 37 will provide information about the virtual tophysical address mapping, the access permission rights, and any regionattributes.

Furthermore, in accordance with the preferred embodiments of the presentinvention, at least one secure page table 58 is provided within securememory of the memory system, for example within a secure part ofexternal memory 56, which again for a number of memory regions definedwithin the table provides an associated descriptor. When the processoris operating in a non-secure mode, the non-secure page table will bereferenced in order to obtain relevant descriptors for use in managingmemory accesses, whilst when the processor is operating in secure mode,descriptors from the secure page table will be used.

The retrieval of descriptors from the relevant page table into the MMUproceeds as follows. In the event that the memory access request issuedby the core 10 specifies a virtual address, a lookup is performed in themicro-TLB 206 which stores for one of a number of virtual addressportions the corresponding physical address portions obtained from therelevant page table. Hence, the micro-TLB 206 will compare a certainportion of the virtual address with the corresponding virtual addressportion stored within the micro-TLB to determine if there is a match.The portion compared will typically be some predetermined number of mostsignificant bits of the virtual address, the number of bits beingdependent on the granularity of the pages within the page table 58. Thelookup performed within the micro-TLB 206 will typically be relativelyquick, since the micro-TLB 206 will only include a relatively few numberof entries, for example eight entries.

In the event that there is no match found within the micro-TLB 206, thenthe memory access request is passed over path 242 to the main TLB 208which contains a number of descriptors obtained from the page tables. Aswill be discussed in more detail later, descriptors from both thenon-secure page table and the secure page table can co-exist within themain TLB 208, and each entry within the main TLB has a correspondingflag (referred to herein as a domain flag) which is settable to indicatewhether the corresponding descriptor in that entry has been obtainedfrom a secure page table or a non-secure page table. In any embodimentswhere all secure modes of operation specify physical addresses directlywithin their memory access requests, it will be appreciated that therewill not be a need for such a flag within the main TLB, as the main TLBwill only store non-secure descriptors.

Within the main TLB 208, a similar lookup process is performed todetermine whether the relevant portion of the virtual address issuedwithin the memory access request corresponds with any of the virtualaddress portions associated with descriptors in the main TLB 208 thatare relevant to the particular mode of operation. Hence, if the core 10is operating in non-secure mode, only those descriptors within the mainTLB 208 which have been obtained from the non-secure page table will bechecked, whereas if the core 10 is operating in secure mode, only thedescriptors within the main TLB that have been obtained from the securepage table will be checked.

If there is a hit within the main TLB as a result of that checkingprocess, then the access control information is extracted from therelevant descriptor and passed back over path 242. In particular, thevirtual address portion and the corresponding physical address portionof the descriptor will be routed over path 242 to the micro-TLB 206, forstorage in an entry of the micro-TLB, the access permission rights willbe loaded into the access permission logic 202, and the regionattributes will be loaded into the region attribute logic 204. Theaccess permission logic 202 and region attribute logic 204 may beseparate to the micro-TLB, or may be incorporated within the micro-TLB.

At this point, the MMU 200 is then able to process the memory accessrequest since there will now be a hit within the micro-TLB 206.Accordingly, the micro-TLB 206 will generate the physical address, whichcan then be output over path 238 onto the system bus 40 for routing tothe relevant memory, this being either on-chip memory such as the TCM36, cache 38, etc, or one of the external memory units accessible viathe external bus interface 42. At the same time, the access permissionlogic 202 will determine whether the memory access is allowed, and willissue an abort signal back to the core 10 over path 230 if it determinesthat the core is not allowed to access the specified memory location inits current mode of operation. For example, certain portions of memory,whether in secure memory or non-secure memory, may be specified as onlybeing accessible by the core when that core is operating in supervisormode, and accordingly if the core 10 is seeking to access such a memorylocation when in, for example, user mode, the access permission logic202 will detect that the core 10 does not currently have the appropriateaccess rights, and will issue the abort signal over path 230. This willcause the memory access to be aborted. Finally, the region attributelogic 204 will determine the region attributes for the particular memoryaccess, such as whether the access is cacheable, bufferable, etc, andwill issue such signals over path 232, where they will then be used todetermine whether the data the subject of the memory access request canbe cached, for example within the cache 38, whether in the event of awrite access the write data can be buffered, etc.

In the event that there was no hit within the main TLB 208, then thetranslation table walk logic 210 is used to access the relevant pagetable 58 in order to retrieve the required descriptor over path 248, andthen pass that descriptor over path 246 to the main TLB 208 for storagetherein. The base address for both the non-secure page table and thesecure page table will be stored within registers of CP15 34, and thecurrent domain in which the processor core 10 is operating, i.e. securedomain or non-secure domain, will also be set within a register of CP15,that domain status register being set by the monitor mode when atransition occurs between the non-secure domain and the secure domain,or vice versa. The content of the domain status register will bereferred to herein as the domain bit. Accordingly, if a translationtable walk process needs to be performed, the translation table walklogic 210 will know in which domain the core 10 is executing, andaccordingly which base address to use to access the relevant table. Thevirtual address is then used as an offset to the base address in orderto access the appropriate entry within the appropriate page table inorder to obtain the required descriptor.

Once the descriptor has been retrieved by the translation table walklogic 210, and placed within the main TLB 208, a hit will then beobtained within the main TLB, and the earlier described process will beinvoked to retrieve the access control information, and store it withinthe micro-TLB 206, the access permission logic 202 and the regionattribute logic 204. The memory access can then be actioned by the MMU200.

As mentioned earlier, in preferred embodiments, the main TLB 208 canstore descriptors from both the secure page table and the non-securepage table, but the memory access requests are only processed by the MMU200 once the relevant information is stored within the micro-TLB 206. Inpreferred embodiments, the transfer of information between the main TLB208 and the micro-TLB 206 is monitored by the partition checker 222located within the MPU 220 to ensure that, in the event that the core 10is operating in a non-secure mode, no access control information istransferred into the micro-TLB 206 from descriptors in the main TLB 208if that would cause a physical address to be generated which is withinsecure memory.

The memory protection unit is managed by the secure operating system,which is able to set within registers of the CP15 34 partitioninginformation defining the partitions between the secure memory and thenon-secure memory. The partition checker 222 is then able to referencethat partitioning information in order to determine whether accesscontrol information is being transferred to the micro-TLB 206 whichwould allow access by the core 10 in a non-secure mode to secure memory.More particularly, in preferred embodiments, when the core 10 isoperating in a non-secure mode of operation, as indicated by the domainbit set by the monitor mode within the CP15 domain status register, thepartition checker 222 is operable to monitor via path 244 any physicaladdress portion seeking to be retrieved into the micro-TLB 206 from themain TLB 208 and to determine whether the physical address that wouldthen be produced for the virtual address based on that physical addressportion would be within the secure memory. In such circumstances, thepartition checker 222 will issue an abort signal over path 230 to thecore 10 to prevent the memory access from taking place.

It will be appreciated that in addition the partition checker 222 can bearranged to actually prevent that physical address portion from beingstored in the micro-TLB 206 or alternatively the physical addressportion may still be stored within the micro-TLB 206, but part of theabort process would be to remove that incorrect physical address portionfrom the micro-TLB 206, for example by flushing the micro-TLB 206.

Whenever the core 10 changes via the monitor mode between a non-securemode and a secure mode of operation, the monitor mode will change thevalue of the domain bit within the CP15 domain status register toindicate the domain into which the processor's operation is changing. Aspart of the transfer process between domains, the micro-TLB 206 will beflushed and accordingly the first memory access following a transitionbetween secure domain and non-secure domain will produce a miss in themicro-TLB 206, and require access information to be retrieved from mainTLB 208, either directly, or via retrieval of the relevant descriptorfrom the relevant page table.

By the above approach, it will be appreciated that the partition checker222 will ensure that when the core is operating in the non-securedomain, an abort of a memory access will be generated if an attempt ismade to retrieve into the micro-TLB 206 access control information thatwould allow access to secure memory.

If in any modes of operation of the processor core 10, the memory accessrequest is arranged to specify directly a physical address, then in thatmode of operation the MMU 200 will be disabled, and the physical addresswill pass over path 236 into the MPU 220. In a secure mode of operation,the access permission logic 224 and the region attribute logic 226 willperform the necessary access permission and region attribute analysisbased on the access permission rights and region attributes identifiedfor the corresponding regions within the partitioning informationregisters within the CP15 34. If the secure memory location seeking tobe accessed is within a part of secure memory only accessible in acertain mode of operation, for example secure privileged mode, then anaccess attempt by the core in a different mode of operation, for examplea secure user mode, will cause the access permission logic 224 togenerate an abort over path 230 to the core in the same way that theaccess permission logic 202 of the MMU would have produced an abort insuch circumstances. Similarly, the region attribute logic 226 willgenerate cacheable and bufferable signals in the same way that theregion attribute logic 204 of the MMU would have generated such signalsfor memory access requests specified with virtual addresses. Assumingthe access is allowed, the access request will then proceed over path240 onto the system bus 40, from where it is routed to the appropriatememory unit.

For a non-secure access where the access request specifies a physicaladdress, the access request will be routed via path 236 into thepartition checker 222, which will perform partition checking withreference to the partitioning information in the CP15 registers 34 inorder to determine whether the physical address specifies a locationwithin secure memory, in which event the abort signal will again begenerated over path 230.

The above described processing of the memory management logic will nowbe described in more detail with reference to the flow diagrams of FIGS.39 and 40. FIG. 39 illustrates the situation in which the programrunning on the core 10 generates a virtual address, as indicated by step300. The relevant domain bit within the CP15 domain status register 34as set by the monitor mode will indicate whether the core is currentlyrunning in a secure domain or the non-secure domain. In the event thatthe core is running in the secure domain, the process branches to step302, where a lookup is performed within the micro-TLB 206 to see if therelevant portion of the virtual address matches with one of the virtualaddress portions within the micro-TLB. In the event of a hit at step302, the process branches directly to step 312, where the accesspermission logic 202 performs the necessary access permission analysis.At step 314, it is then determined whether there is an access permissionviolation, and if there is the process proceeds to step 316, where theaccess permission logic 202 issues an abort over path 230. Otherwise, inthe absence of such an access permission violation, the process proceedsfrom step 314 to step 318, where the memory access proceeds. Inparticular the region attribute logic 204 will output the necessarycacheable and bufferable attributes over path 232, and the micro-TLB 206will issue the physical address over path 238 as described earlier.

If at step 302 there is a miss in the micro-TLB, then a lookup processis performed within the main TLB 208 at step 304 to determine whetherthe required secure descriptor is present within the main TLB. If not,then a page table walk process is executed at step 306, whereby thetranslation table walk logic 210 obtains the required descriptor fromthe secure page table, as described earlier with reference to FIG. 37.The process then proceeds to step 308, or proceeds directly to step 308from step 304 in the event that the secure descriptor was already in themain TLB 208.

At step 308, it is determined that the main TLB now contains the validtagged secure descriptor, and accordingly the process proceeds to step310, where the micro-TLB is loaded with the sub-section of thedescriptor that contains the physical address portion. Since the core 10is currently running in secure mode, there is no need for the partitionchecker 222 to perform any partition checking function.

The process then proceeds to step 312 where the remainder of the memoryaccess proceeds as described earlier.

In the event of a non-secure memory access, the process proceeds fromstep 300 to step 320, where a lookup process is performed in themicro-TLB 206 to determine whether the corresponding physical addressportion from a non-secure descriptor is present. If it is, then theprocess branches directly to step 336, where the access permissionrights are checked by the access permission logic 202. It is importantto note at this point that if the relevant physical address portion iswithin the micro-TLB, it is assumed that there is no security violation,since the partition checker 222 effectively polices the informationprior to it being stored within the micro-TLB, such that if theinformation is within the micro-TLB, it is assumed to be the appropriatenon-secure information. Once the access permission has been checked atstep 336, the process proceeds to step 338, where it is determinedwhether there is any violation, in which event an access permissionfault abort is issued at step 316. Otherwise, the process proceeds tostep 318 where the remainder of the memory access is performed, asdiscussed earlier.

In the event that at step 320 no hit was located in the micro-TLB, theprocess proceeds to step 322, where a lookup process is performed in themain TLB 208 to determine whether the relevant non-secure descriptor ispresent. If not, a page table walk process is performed at step 324 bythe translation table walk logic 210 in order to retrieve into the mainTLB 208 the necessary non-secure descriptor from the non-secure pagetable. The process then proceeds to step 326, or proceeds directly tostep 326 from step 322 in the event that a hit within the main TLB 208occurred at step 322. At step 326, it is determined that the main TLBnow contains the valid tagged non-secure descriptor for the virtualaddress in question, and then at step 328 the partition checker 222checks that the physical address that would be generated from thevirtual address of the memory access request (given the physical addressportion within the descriptor) will point to a location in non-securememory. If not, i.e. if the physical address points to a location insecure memory, then at step 330 it is determined that there is asecurity violation, and the process proceeds to step 332 where asecure/non-secure fault abort is issued by the partition checker 222.

If however the partition checker logic 222 determines that there is nosecurity violation, the process proceeds to step 334, where themicro-TLB is loaded with the sub-section of the relevant descriptor thatcontains the physical address portion, whereafter at step 336 the memoryaccess is then processed in the earlier described manner.

The handling of memory access requests that directly issue a physicaladdress will now be described with reference to FIG. 40. As mentionedearlier, in this scenario, the MMU 200 will be deactivated, thispreferably being achieved by the setting within a relevant register ofthe CP15 registers an MMU enable bit, this setting process beingperformed by the monitor mode. Hence, at step 350 the core 10 willgenerate a physical address which will be passed over path 236 into theMPU 220. Then, at step 352, the MPU checks permissions to verify thatthe memory access being requested can proceed given the current mode ofoperation, i.e. user, supervisor, etc. Furthermore, if the core isoperating in non-secure mode, the partition checker 222 will also checkat step 352 whether the physical address is within non-secure memory.Then, at step 354, it is determined whether there is a violation, i.e.whether the access permission processing has revealed a violation, or ifin non-secure mode, the partition checking process has identified aviolation. If either of these violations occurs, then the processproceeds to step 356 where an access permission fault abort is generatedby the MPU 220. It will be appreciated that in certain embodiments theremay be no distinction between the two types of abort, whereas inalternative embodiments the abort signal could indicate whether itrelates to an access permission fault or a security fault.

If no violation is detected at step 354, the process proceeds to step358, where the memory access to the location identified by the physicaladdress occurs.

In preferred embodiments only the monitor mode is arranged to generatephysical addresses directly, and accordingly in all other cases the MMU200 will be active and generation of the physical address from thevirtual address of the memory access request will occur as describedearlier.

FIG. 38 illustrates an alternative embodiment of the memory managementlogic in a situation where all memory access requests specify a virtualaddress, and accordingly physical addresses are not generated directlyin any of the modes of operation. In this scenario, it will beappreciated that a separate MPU 220 is not required, and instead thepartition checker 222 can be incorporated within the MMU 200. Thischange aside, the processing proceeds in exactly the same manner asdiscussed earlier with reference to FIGS. 37 and 39.

It will be appreciated that various other options are also possible. Forexample, assuming memory access requests may be issued by both secureand non-secure modes specifying virtual addresses, two MMUs could beprovided, one for secure access requests and one for non-secure accessrequests, i.e. MPU 220 in FIG. 37 could be replaced by a complete MMU.In such cases, the use of flags with the main TLB of each MMU to definewhether descriptors are secure or non-secure would not be needed, as oneMMU would store non-secure descriptors in its main TLB, and the otherMMU would store secure descriptors in its main TLB. Of course, thepartition checker would still be required to check whether an access tosecure memory is being attempted whilst the core is in the non-securedomain.

If, alternatively, all memory access requests directly specifiedphysical addresses, an alternative implementation might be to use twoMPUs, one for secure access requests and one for non-secure accessrequests. The MPU used for non-secure access requests would have itsaccess requests policed by a partition checker to ensure accesses tosecure memory are not allowed in non-secure modes.

As a further feature which may be provided with either the FIG. 37 orthe FIG. 38 arrangement, the partition checker 222 could be arranged toperform some partition checking in order to police the activities of thetranslation table walk logic 210. In particular, if the core iscurrently operating in the non-secure domain, then the partition checker222 could be arranged to check, whenever the translation table walklogic 210 is seeking to access a page table, that it is accessing thenon-secure page table rather than the secure page table. If a violationis detected, an abort signal would preferably be generated. Since thetranslation table walk logic 210 typically performs the page tablelookup by combining a page table base address with certain bits of thevirtual address issued by the memory access request, this partitionchecking may involve, for example, checking that the translation tablewalk logic 210 is using a base address of a non-secure page table ratherthan a base address of a secure page table.

FIG. 41 illustrates schematically the process performed by the partitionchecker 222 when the core 10 is operating in a non-secure mode. It willbe appreciated that in normal operation a descriptor obtained from thenon-secure page table should describe a page mapped in non-secure memoryonly. However, in the case of software attack, the descriptor may betampered with in order that it now describes a section that containsboth non-secure and secure regions of memory. Hence, considering theexample in FIG. 41, the corrupted non-secure descriptor may cover a pagethat includes non-secure areas 370, 372, 374 and secure areas 376, 378,380. If the virtual address issued as part of the memory access requestwould then correspond to a physical address in a secure memory region,for example the secure memory region 376 as illustrated in FIG. 41, thenthe partition checker 222 is arranged to generate an abort to preventthat access taking place. Hence, even though the non-secure descriptorhas been corrupted in an attempt to gain access to secure memory, thepartition checker 222 prevents the access taking place. In contrast, ifthe physical address that would be derived using this descriptorcorresponds to a non-secure memory region, for example region 374 asillustrated in FIG. 41, then the access control information loaded intothe micro-TLB 206 merely identifies this non-secure region 374. Hence,accesses within that non-secure memory region 374 can occur but noaccesses into any of the secure regions 376, 378 or 380 can occur. Thus,it can be seen that even though the main TLB 208 may contain descriptorsfrom the non-secure page table that have been tampered with, themicro-TLB will only contain physical address portions that will enableaccess to non-secure memory regions.

As described earlier, in embodiments where both non-secure modes andsecure modes may generate memory access requests specifying virtualaddresses, then the memory preferably comprises both a non-secure pagetable within non-secure memory, and a secure page table within securememory. When in non-secure mode, the non-secure page table will bereferenced by the translation table walk logic 210, whereas when insecure mode, the secure page table will be referenced by the translationtable walk logic 210. FIG. 42 illustrates these two page tables. Asshown in FIG. 42, the non-secure memory 390, which may for example bewithin external memory 56 of FIG. 1, includes within it a non-securepage table 395 specified in a CP15 register 34 by reference to a baseaddress 397. Similarly, within secure memory 400, which again may bewithin the external memory 56 of FIG. 1, a corresponding secure pagetable 405 is provided which is specified within a duplicate CP15register 34 by a secure page table base address 407. Each descriptorwithin the non-secure page table 395 will point to a correspondingnon-secure page in non-secure memory 390, whereas each descriptor withinthe secure page table 405 will define a corresponding secure page in thesecure memory 400. In addition, as will be described in more detaillater, it is possible for certain areas of memory to be shared memoryregions 410, which are accessible by both non-secure modes and securemodes.

FIG. 43 illustrates in more detail the lookup process performed withinthe main TLB 208 in accordance with preferred embodiments. As mentionedearlier, the main TLB 208 includes a domain flag 425 which identifieswhether the corresponding descriptor 435 is from the secure page tableor the non-secure page table. This ensures that when a lookup process isperformed, only the descriptors relevant to the particular domain inwhich the core 10 is operating will be checked. FIG. 43 illustrates anexample where the core is running in the secure domain, also referred toas the secure world. As can be seen from FIG. 43, when a main TLB 208lookup is performed, this will result in the descriptors 440 beingignored, and only the descriptors 445 being identified as candidates forthe lookup process.

In accordance with preferred embodiments, an additional process ID flag430, also referred to herein as the ASID flag, is provided to identifydescriptors from process specific page tables. Accordingly, processesP1, P2 and P3 may each have corresponding page tables provided withinthe memory, and further may have different page tables for non-secureoperation and secure operation. Further, it will be appreciated that theprocesses P1, P2, P3 in the secure domain may be entirely separateprocesses to the processes P1, P2, P3 in the non-secure domain.Accordingly, as shown in FIG. 43, in addition to checking the domainwhen a main TLB lookup 208 is required, the ASID flag is also checked.

Accordingly, in the example in FIG. 43 where in the secure domain,process P1 is executing, this lookup process identifies just the twoentries 450 within the main TLB 208, and a hit or miss is then generateddependent on whether the virtual address portion within those twodescriptors matches with the corresponding portion of the virtualaddress issued by the memory access request. If it does, then therelevant access control information is extracted and passed to themicro-TLB 206, the access permission logic 202 and the region attributelogic 204. Otherwise, a miss occurs, and the translation table walklogic 210 is used to retrieved into the main TLB 208 the requireddescriptor from the page table provided for secure process P1. As willbe appreciated by those skilled in the art, there are many techniquesfor managing the content of a TLB, and accordingly when a new descriptoris retrieved for storage in the main TLB 208, and the main TLB isalready full, any one of a number of known techniques may be used todetermine which descriptor to evict from the main TLB to make room forthe new descriptor, for example least recently used approaches, etc.

It will be appreciated that the secure kernel used in secure modes ofoperation may be developed entirely separately to the non-secureoperating system. However, in certain cases the secure kernel and thenon-secure operating system development may be closely linked, and insuch situations it may be appropriate to allow secure applications touse the non-secure descriptors. Indeed, this will allow the secureapplications to have direct access to non-secure data (for sharing) byknowing only the virtual address. This of course presumes that thesecure virtual mapping and the non-secure virtual mapping are exclusivefor a particular ASID. In such scenarios, the tag introduced previously(i.e. the domain flag) to distinguish between secure and non-securedescriptors will not be needed. The lookup in the TLB is instead thenperformed with all of descriptors available.

In preferred embodiments, the choice between this configuration of themain TLB, and the earlier described configuration with separate secureand non-secure descriptors, can be set by a particular bit providedwithin the CP15 control registers. In preferred embodiments, this bitwould only be set by the secure kernel.

In embodiments where the secure application were directly allowed to usea non-secure virtual address, it would be possible to make a non-securestack pointer available from the secure domain. This can be done bycopying a non-secure register value identifying the non-secure stackpointer into a dedicated register within the CP15 registers 34. Thiswill then enable the non-secure application to pass parameters via thestack according to a scheme understood by the secure application.

As described earlier, the memory may be partitioned into non-secure andsecure parts, and this partitioning is controlled by the secure kernelusing the CP15 registers 34 dedicated to the partition checker 222. Thebasic partitioning approach is based on region access permissions asdefinable in typical MPU devices. Accordingly, the memory is dividedinto regions, and each region is preferably defined with its baseaddress, size, memory attributes and access permissions. Further, whenoverlapping regions are programmed, the attributes of the upper regiontake highest priority. Additionally, in accordance with preferredembodiments of the present invention, a new region attribute is providedto define whether that corresponding region is in secure memory or innon-secure memory. This new region attribute is used by the securekernel to define the part of the memory that is to be protected assecure memory.

At the boot stage, a first partition is performed as illustrated in FIG.44. This initial partition will determine the amount of memory 460allocated to the non-secure world, non-secure operating system andnon-secure applications. This amount corresponds to the non-secureregion defined in the partition. This information will then be used bythe non-secure operating system for its memory management. The rest ofthe memory 462, 464, which is defined as secure, is unknown by thenon-secure operating system. In order to protect integrity in thenon-secure world, the non-secure memory may be programmed with accesspermission for secure privileged modes only. Hence, secure applicationswill not corrupt the non-secure ones. As can be seen from FIG. 44,following this boot stage partition, memory 460 is available for use bythe non-secure operating system, memory 462 is available for use by thesecure kernel, and memory 464 is available for use by secureapplications.

Once the boot stage partition has been performed, memory mapping of thenon-secure memory 460 is handled by the non-secure operating systemusing the MMU 200, and accordingly a series of non-secure pages can bedefined in the usual manner. This is illustrated in FIG. 45.

If a secure application needs to share memory with a non-secureapplication, the secure kernel can change the rights of a part of thememory to transfer artificially data from one domain to the other.Hence, as illustrated in FIG. 46, the secure kernel can, after checkingthe integrity of a non-secure page, change the rights of that page suchthat it becomes a secure page 466 accessible as shared memory.

When the partition of the memory is changed, the micro-TLB 206 needs tobe flushed. Hence, in this scenario, when a non-secure accesssubsequently occurs, a miss will occur in the micro-TLB 206, andaccordingly a new descriptor will be loaded from the main TLB 208. Thisnew descriptor will subsequently be checked by the partition checker 222of the MPU as it is attempted to retrieve it into the micro-TLB 206, andso will be consistent with the new partition of the memory.

In preferred embodiments, the cache 38 is virtual-indexed andphysical-tagged. Accordingly, when an access is performed in the cache38, a lookup will have already been performed in the micro-TLB 206first, and accordingly access permissions, especially secure andnon-secure permissions, will have been checked. Accordingly, secure datacannot be stored in the cache 38 by non-secure applications. Access tothe cache 38 is under the control of the partition checking performed bythe partition checker 222, and accordingly no access to secure data canbe performed in non-secure mode.

However, one problem that could occur would be for an application in thenon-secure domain to be able to use the cache operations register toinvalidate, clean, or flush the cache. It needs to be ensured that suchoperations could not affect the security of the system. For example, ifthe non-secure operating system were to invalidate the cache 38 withoutcleaning it, any secure dirty data must be written to the externalmemory before being replaced. Preferably, secure data is tagged in thecache, and accordingly can be dealt with differently if desired.

In preferred embodiments, if an “invalidate line by address” operationis executed by a non-secure program, the physical address is checked bythe partition checker 222, and if the cache line is a secure cache line,the operation becomes a “clean and invalidate” operation, therebyensuring that the security of the system is maintained. Further, inpreferred embodiments, all “invalidate line by index” operations thatare executed by a non-secure program become “clean and invalidate byindex” operations. Similarly, all “invalidate all” operations executedby a non-secure program become “clean and invalidate all” operations.

Furthermore, with reference to FIG. 1, any access to the TCM 36 by theDMA 32 is controlled by the micro-TLB 206. Hence, when the DMA 32performs a lookup in the TLB to translate its virtual address into aphysical one, the earlier described flags that were added in the mainTLB allow the required security checking to be performed, just as if theaccess request had been issued by the core 10. Further, as will bediscussed later, a replica partition checker is coupled to the externalbus 70, preferably being located within the arbiter/decoder block 54,such that if the DMA 32 directly accesses the memory coupled to theexternal bus 70 via the external bus interface 42, the replica partitionchecker connected to that external bus checks the validity of theaccess. Furthermore, in certain preferred embodiments, it would bepossible to add a bit to the CP15 registers 34 to define whether the DMAcontroller 32 can be used in the non-secure domain, this bit only beingallowed to be set by the secure kernel when operating in a privilegedmode.

Considering the TCM 36, if secure data is to placed within the TCM 36,this must be handled with care. As an example, a scenario could beimagined where the non-secure operating system programs the physicaladdress range for the TCM memory 36 so that it overlaps an externalsecure memory part. If the mode of operation then changes to a securemode, the secure kernel may cause data to be stored in that overlappingpart, and typically the data would be stored in the TCM 36, since theTCM 36 will typically have a higher priority than the external memory.If the non-secure operating system were then to change the setting ofthe physical address space for the TCM 36 so that the previous secureregion is now mapped in a non-secure physical area of memory, it will beappreciated that the non-secure operating system can then access thesecure data, since the partition checker will see the area as non-secureand won't assert an abort. Hence, to summarise, if the TCM is configuredto act as normal local RAM and not as SmartCache, it may be possible forthe non-secure operating system to read secure world data if it can movethe TCM base register to non-secure physical address.

To prevent this kind of scenario, a control bit is in preferredembodiments provided within the CP15 registers 34 which is onlyaccessible in secure privilege modes of operation, and provides twopossible configurations. In a first configuration, this control bit isset to “1”, in which event the TCM can only be controlled by the secureprivilege modes. Hence, any non-secure access attempted to the TCMcontrol registers within the CP15 34 will cause an undefined instructionexception to be entered. Thus, in this first configuration, both securemodes and non-secure modes can use the TCM, but the TCM is controlledonly by the secure privilege mode. In the second configuration, thecontrol bit is set to “0”, in which event the TCM can be controlled bythe non-secure operating system. In this case, the TCM is only used bythe non-secure applications. No secure data can be stored to or loadedfrom the TCM. Hence, when a secure access is performed, no look-up isperformed within the TCM to see if the address matched the TCM addressrange.

By default, it is envisaged that the TCM would be used only bynon-secure operating systems, as in this scenario the non-secureoperating system would not need to be changed.

As mentioned earlier, in addition to the provision of the partitionchecker 222 within the MPU 220, preferred embodiments of the presentinvention also provide an analogous partition checking block coupled tothe external bus 70, this additional partition checker being used topolice accesses to memory by other master devices, for example thedigital signal processor (DSP) 50, the DMA controller 52 coupleddirectly to the external bus, the DMA controller 32 connectable to theexternal bus via the external bus interface 42, etc. Indeed in someembodiments, as will be discussed later, it is possible to solely have apartition checking block coupled to the external (or device) bus, andnot to provide a partition checker as part of the memory managementlogic 30. In some such embodiments, a partition checker may optionallybe provided as part of the memory management logic 30, in such instancesthis partition checker be considered as a further partition checkerprovided in addition to the one coupled to the device bus.

As mentioned earlier, the entire memory system can consist of severalmemory units, and a variety of these may exist on the external bus 70,for example the external memory 56, boot ROM 44, or indeed buffers orregisters 48, 62, 66 within peripheral devices such as the screen driver46, I/O interface 60, key storage unit 64, etc. Furthermore, differentparts of the memory system may need to be defined as secure memory, forexample it may be desired that the key buffer 66 within the key storageunit 64 should be treated as secure memory. If an access to such securememory were to be attempted by a device coupled to the external bus,then it is clear that the earlier described memory management logic 30provided within the chip containing the core 10 would not be able topolice such accesses.

FIG. 47 illustrates how the additional partition checker 492 coupled tothe external bus, also referred to herein as the device bus, is used.The external bus would typically be arranged such that whenever memoryaccess requests were issued onto that external bus by devices, such asdevices 470, 472, those memory access requests would also includecertain signals on the external bus defining the mode of operation, forexample privileged, user, etc. In accordance with preferred embodimentsof the present invention the memory access request also involvesissuance of a domain signal onto the external bus to identify whetherthe device is operating in secure mode or non-secure mode. This domainsignal is preferably issued at the hardware level, and in preferredembodiments a device capable of operating in secure or non-securedomains will include a predetermined pin for outputting the domainsignal onto path 490 within the external bus. For the purpose ofillustration, this path 490 is shown separately to the other signalpaths 488 on the external bus.

This domain signal, also referred to herein as the “S bit” will identifywhether the device issuing the memory access request is operating insecure domain or non-secure domain, and this information will bereceived by the partition checker 492 coupled to the external bus. Thepartition checker 492 will also have access to the partitioninginformation identifying which regions of memory are secure ornon-secure, and accordingly can be arranged to only allow a device tohave access to a secure part of memory if the S bit is asserted toidentify a secure mode of operation.

By default, it is envisaged that the S bit would be unasserted, andaccordingly a pre-existing non-secure device, such as device 472illustrated in FIG. 47, would not output an asserted S bit andaccordingly would never be granted access by the partition checker 492to any secure parts of memory, whether that be within registers orbuffers 482, 486 within the screen driver 480, the I/O interface 484, orwithin the external memory 474.

For the sake of illustration, the arbiter block 476 used to arbitratebetween memory access requests issued by master devices, such as devices470, 472, is illustrated separately to the decoder 478 used to determinethe appropriate memory device to service the memory access request, andseparate from the partition checker 492. However, it will be appreciatedthat one or more of these components may be integrated within the sameunit if desired.

FIG. 48 illustrates an alternative embodiment, in which a partitionchecker 492 is not provided, and instead each memory device 474, 480,484 is arranged to police its own memory access dependent on the valueof the S bit. Accordingly, if device 470 were to assert a memory accessrequest in non-secure mode to a register 482 within the screen driver480 that was marked as secure memory, then the screen driver 480 woulddetermine that the S bit was not asserted, and would not process thememory access request. Accordingly, it is envisaged that withappropriate design of the various memory devices, it may be possible toavoid the need for a partition checker 492 to be provided separately onthe external bus.

In the above description of FIGS. 47 and 48, the “S bit” is said toidentify whether the device issuing the memory access request isoperating in secure domain or non-secure domain. Viewed another way,this S bit can be seen to indicate whether the memory access requestpertains to the secure domain or the non-secure domain.

In the embodiments described with reference to FIGS. 37 and 38, a singleMMU, along with a single set of page tables, was used to perform virtualto physical address translation. With such an approach, the physicaladdress space would typically be segmented between non-secure memory andsecure memory in a simplistic manner such as illustrated in FIG. 49.Here a physical address space 2100 includes an address space starting ataddress zero and extending to address Y for one of the memory unitswithin the memory system, for example the external memory 56. For eachmemory unit, the addressable memory would typically be sectioned intotwo parts, a first part 2110 being allocated as non-secure memory and asecond part 2120 being allocated as secure memory.

With such an approach, it will be appreciated that there are certainphysical addresses which are not accessible to particular domain(s), andthese gaps would be apparent to the operating system used in thosedomain(s). Whilst the operating system used in the secure domain willhave knowledge of the non-secure domain, and hence will not be concernedby this, the operating system in the non-secure domain should ideallynot need to have any knowledge of the presence of the secure domain, butinstead should operate as though the secure domain were not there.

As a further issue, it will be appreciated that a non-secure operatingsystem will see its address space for the external memory as starting ataddress zero and extending to address X, and the non-secure operatingsystem need know nothing about the secure kernel and in particular thepresence of the secure memory extending from address X+1 up to addressY. In contrast, the secure kernel will not see its address spacebeginning at address zero, which is not what an operating system wouldtypically expect.

One embodiment which alleviates the above concerns by allowing thesecure memory regions to be completely hidden from the non-secureoperating system's view of its physical address space, and by enablingboth the secure kernel in the secure domain and the non-secure operatingsystem in the non-secure domain to see their address space for externalmemory as beginning at address zero is illustrated schematically in FIG.51. Here, the physical address space 2200 is able to be segmented at thepage level into either secure or non-secure segments. In the exampleillustrated in FIG. 51, the address space for the external memory isshown as being segmented into four sections 2210, 2220, 2230, and 2240,consisting of two secure memory regions and two non-secure memoryregions.

Rather than transitioning between the virtual address space and thephysical address space via a single page table conversion, two separatelayers of address translation are performed with reference to a firstpage table and a second page table, thereby enabling the concept of anintermediate address space to be introduced which can be arrangeddifferently, dependent on whether the processor is in the secure domainor the non-secure domain. More particularly, as illustrated in FIG. 51,the two secure memory regions 2210 and 2230 in the physical addressspace can be mapped to the single region 2265 in the intermediateaddress space for the secure domain by use of descriptors providedwithin a secure page table within the set of page tables 2250. As far asthe operating system running on the processor is concerned, it will seethe intermediate address space as being the physical address space, andwill use an MMU to convert virtual addresses into intermediate addresseswithin the intermediate address space.

Similarly, an intermediate address space 2270 can be configured for thenon-secure domain, in which the two non-secure memory regions 2220 and2240 in the physical address space are mapped to the non-secure region2275 in the intermediate address space for the non-secure domain viacorresponding descriptors in a non-secure page table within the set ofpage tables 2250.

In one embodiment, the translation of virtual addresses into physicaladdresses via intermediate addresses is handled using two separate MMUsas illustrated in FIG. 50A. Each of the MMUs 2150 and 2170 in FIG. 50Acan be considered as being constructed in a similar manner to the MMU200 shown in FIG. 37, but for the sake of ease of illustration certaindetail has been omitted in FIG. 50A.

The first MMU 2150 includes a micro-TLB 2155, a main TLB 2160 andtranslation table walk logic 2165, while similarly the second MMU 2170includes a micro-TLB 2175, a main TLB 2180 and translation table walklogic 2185. The first MMU may be controlled by the non-secure operatingsystem when the processor is operating in the non-secure domain, or bythe secure kernel when the processor is operating in the secure domain.However, in preferred embodiments, the second MMU is only controllableby the secure kernel, or by the monitor program.

When the processor core 10 issues a memory access request, it will issuea virtual address over path 2153 to the micro-TLB 2155. The micro-TLB2155 will store for a number of virtual address portions correspondingintermediate address portions retrieved from descriptors stored withinthe main TLB 2160, the descriptors in the main TLB 2160 having beenretrieved from page tables in a first set of page tables associated withthe first MMU 2150. If a hit is detected within the micro-TLB 2155, thenthe micro-TLB 2155 can issue over path 2157 an intermediate addresscorresponding to the virtual address received over path 2153. If thereis no hit within the micro-TLB 2155, then the main TLB 2160 will bereferenced to see if a hit is detected within the main TLB, and if sothe relevant virtual address portion and corresponding intermediateaddress portion will be retrieved into the micro-TLB 2155, whereafterthe intermediate address can be issued over path 2157.

If there is no hit within the micro-TLB 2155 and the main TLB 2160, thenthe translation table walk logic 2165 is used to issue a request for therequired descriptor from a predetermined page table in a first set ofpage tables accessible by the first MMU 2150. Typically, there may bepage tables associated with individual processes for both secure domainor non-secure domain, and the intermediate base addresses for those pagetables will be accessible by the translation table walk logic 2165, forexample from appropriate registers within the CP15 registers 34.Accordingly, the translation table walk logic 2165 can issue anintermediate address over path 2167 to request a descriptor from theappropriate page table.

The second MMU 2170 is arranged to receive any intermediate addressesoutput by the micro-TLB 2155 over path 2157, or by the translation tablewalk logic 2165 over path 2167, and if a hit is detected within themicro-TLB 2175, the micro-TLB can then issue the required physicaladdress over path 2192 to memory to cause the required data to beretrieved over the data bus 2190. In the event of an intermediateaddress issued over path 2157, this will cause the required data to bereturned to the core 10, whilst for an intermediate address issued overpath 2167, this will cause the required descriptor to be returned to thefirst MMU 2150 for storage within the main TLB 2160.

In the event of a miss in the micro-TLB 2175, the main TLB 2180 will bereferenced, and if there is a hit within the main TLB, the requiredintermediate address portion and corresponding physical address portionwill be returned to the micro-TLB 2175, to then enable the micro-TLB2175 to issue the required physical address over path 2192. However, inthe absence of a hit in either the micro-TLB 2175 or the main TLB 2180,then the translation table walk logic 2185 will be arranged to output arequest over path 2194 for the required descriptor from the relevantpage table within a second set of page tables associated with the secondMMU 2170. This second set of page tables includes descriptors whichassociate intermediate address portions with physical address portions,and typically there will be at least one page table for secure domainand one page table for non-secure domain. When a request is issued overpath 2194, this will result in the relevant descriptor from the secondset of page tables being returned to the second MMU 2170 for storingwithin the main TLB 2180.

The operation of the embodiment illustrated in FIG. 50A will now beillustrated further by way of a specific example as set out below, inwhich the abbreviation VA denotes virtual address, IA denotesintermediate address, and PA denotes physical address:  1) Core issuesVA = 3000 [IA = 5000, PA = 7000]  2) Miss in micro-TLB of MMU 1  3) Missin main TLB of MMU 1 Page Table 1 Base Address = 8000 IA [PA = 10000] 4) Translation Table Walk logic in MMU 1 performs page table lookupissues IA = 8003  5) Miss in micro-TLB of MMU 2  6) Miss in main TLB ofMMU 2 Page Table 2 Base Address = 12000 PA  7) Translation Table WalkLogic in MMU 2 performs page table lookup issues PA = 12008 “8000 IA =10000 PA” returned as page table data  8) stored in main TLB of MMU 2 9) stored in micro-TLB of MMU 2 10) Micro-TLB in MMU 2 now has hitissues PA = 10003 “3000 VA = 5000 IA” returned as page table data 11)stored in main TLB of MMU 1 12) stored in micro-TLB of MMU 1 13)Micro-TLB in MMU 1 now has hit issues IA = 5000 to perform data access14) miss in micro-TLB of MMU 2 15) miss in main TLB of MMU 2 16)Translation Table Walk Logic in MMU 2 performs page table lookup issuesPA = 12005 “5000 IA = 7000 PA” returned as page table data 17) stored inmain TLB of MMU 2 18) stored in micro-TLB of MMU 2 19) Micro-TLB in MMU2 now has hit issues PA = 7000 to perform data access 20) Data atphysical address 7000 returned to core

Next Time Core Issues a Memory Access Request (say VA 3001 . . . )

-   -   1) Core issues VA=3001    -   2) Hit in micro-TLB of MMU 1, request IA 5001 issued to MMU2

-   3) Hit in micro-TLB on MMU2, request for PA 7001 issued to memory    -   4) Data at PA 7001 returned to core.

It will be appreciated that in the above example misses occur in boththe micro-TLB and the main TLB of both MMUs, and hence this examplerepresents the ‘worst case’ scenario. Typically, it would be expectedthat a hit would be observed in at least one of the micro-TLBs or mainTLBs, thereby significantly reducing the time taken to retrieve thedata.

Returning to FIG. 51, the second set of page tables 2250 will typicallybe provided within a certain region of the physical address space, inpreferred embodiments a secure region. The first set of page tables canbe split into two types, namely secure page tables and non-secure pagetables. Preferably, the secure page tables will appear consecutivelywithin the intermediate address space 2265, as will the non-secure pagetables within the non-secure intermediate address space 2275. However,they need not be placed consecutively within the physical address space,and accordingly, by way of example, the secure page tables for the firstset of page tables may be spread throughout the secure regions 2210,2230, and in a similar way the non-secure page tables may be spreadthroughout the non-secure memory regions 2220 and 2240.

As mentioned previously, one of the main benefits of using the two-levelapproach of two sets of page tables is that for both the operatingsystem of the secure domain and the operating system of the non-securedomain the physical address space can be arranged to start at zero,which is what would typically be expected by an operating system.Additionally the secure memory regions can be completely hidden from thenon-secure operating system's view of its “physical address” space,since it sees as its physical address space the intermediate addressspace, which can be arranged to have a contiguous sequence ofintermediate addresses.

Additionally, the use of such an approach considerably simplifies theprocess of swapping regions of memory between non-secure memory andsecure memory. This is illustrated schematically with reference to FIG.52. As can be seen in FIG. 52, a region of memory 2300, which may forexample be a single page of memory, may exist within the non-securememory region 2220, and similarly a memory region 2310 may exist withinthe secure memory region 2210. However, these two memory regions 2300and 2310 can readily be swapped merely by changing the relevantdescriptors within the second set of page tables, such that the region2300 now becomes a secure region mapped to region 2305 in theintermediate address space of the secure domain, whilst region 2310 nowbecomes a non-secure region mapped to the region 2315 in theintermediate address space of the non-secure domain. This can occurentirely transparently to the operating systems in both the securedomain the non-secure domain, since their view of the physical addressspace is actually the intermediate address space of the secure domain ornon-secure domain, respectively. Hence, this approach avoids anyredefinition of the physical address space within each operating system.

An alternative embodiment of the present invention where two MMUs arealso used, but in a different arrangement to that of FIG. 50A, will nowbe described with reference to FIG. 50B. As can be seen from acomparison of FIG. 50B with FIG. 50A, the arrangement is almostidentical, but in this embodiment the first MMU 2150 is arranged toperform virtual address to physical address translation and the secondMMU is arranged to perform intermediate address to physical addresstranslation. Hence, instead of the path 2157 from the micro-TLB 2155 inthe first MMU 2150 to the micro-TLB 2175 in the second MMU 2170 used inthe FIG. 50A embodiment, the micro-TLB 2155 in the first MMU is insteadarranged to output a physical address directly over path 2192, as shownin FIG. 50B. The operation of the embodiment illustrated in FIG. 50Bwill now be illustrated by way of the specific example as set out below,which details the processing of the same core memory access request asillustrated earlier for the FIG. 50A embodiment:  1) Core issues VA =3000 [IA = 5000, PA = 7000]  2) Miss in micro-TLB and main TLB of MMU 1Page Table 1 Base Address = 8000 IA [PA = 10000]  3) Translation TableWalk logic in MMU1 performs page table lookup issues IA = 8003  4) IA8003 misses in micro-TLB and main TLB of MMU 2 Page Table 2 Base Address= 12000 PA  5) Translation Table Walk logic in MMU2 performs page tablelookup issues PA = 12008 “8000 IA = = 10000 PA” returned as page tabledata  6) “8000 IA = 10000 PA” mapping stored in Main and micro-TLB ofMMU2  7) Micro-TLB in MMU2 can now translate the request from step (3)to PA 10003 and issues fetch “3000 VA = 5000 IA” returned as page tabledata NOTE: This translation is retained in temporary storage by MMU1,but not stored directly in any TLB.  8) Translation table walk logic ofMMU1 now issues request to MMU2 for IA = 5000  9) IA 5000 misses in uTLBand main TLB of MMU 2 10) Translation Table Walk logic in MMU2 performspage table lookup issues PA = 12005 “5000 IA = 7000 PA” returned as pagetable data 11) MMU2 stores “5000 IA = 7000 PA” in uTLB and main TLB.This translation is also communicated to MMU1. 12a) MMU2 issues the PA =7000 access to memory 12b) MMU1 combines the “3000 VA = 5000 IA” and the“5000 IA = 7000 PA” descriptors to give a “3000 VA = 7000 PA”descriptor, which is stored in the main TLB and micro-TLB of MMU 1. 13)Data at PA 7000 is returned to the core.

Next Time Core Issues a Memory Access Request (say VA 3001 . . . )

-   1) Core issues VA=3001-   2) Hit in micro-TLB of MMU1, MMU1 issues request for PA=7001-   3) Data at PA 7001 is returned to the core.

As can bee seen from a comparison of the above example with thatprovided for FIG. 50A the main differences here are in step 7 where MMU1does not store the first table descriptor directly, and in step 12 b (12a and 12 b can happen at the same time) where MMU1 also receives theIA->PA translation and does the combination and stores the combineddescriptor in its TLBs.

Hence, it can be seen that whilst this alternative embodiment still usesthe two sets of page tables to convert virtual addresses to physicaladdresses, the fact that the micro-TLB 2155 and main TLB 2160 store thedirect virtual address to physical address translation avoids the needfor lookups to be performed in both MMUs when a hit occurs in either themicro-TLB 2155 or the main TLB 2160. In such cases the first MMU candirectly handle requests from the core without reference to the secondMMU.

It will be appreciated that the second MMU 2170 could be arranged not toinclude the micro-TLB 2175 and the main TLB 2180, in which case the pagetable walk logic 2185 would be used for every request that neededhandling by the second MMU. This would save on complexity and cost forthe second MMU, and might be acceptable assuming the second MMU was onlyneeded relatively infrequently. Since the first MMU will need to be usedfor every request, it will typically be expedient to include themicro-TLB 2155 and main TLB 2160 in the first MMU 2150 to improve speedof operation of the first MMU.

It should be noted that pages in the page tables may vary in size, andit is hence possible that the descriptors for the two halves of thetranslation relate to different sized pages. Typically, the MMU1 pageswill be smaller than the MMU2 pages but this is not necessarily thecase. For example:

-   -   Table 1 maps 4 Kb at 0x40003000 onto 0x00081000

-   Table 2 maps 1 Mb at 0x00000000 onto 0x02000000

Here, the smallest of the two sizes must be used for the combinedtranslation, so the combined descriptor is

-   -   4 Kb at 0x40003000 onto 0x02081000

However, where data is being swapped between worlds (as discussedearlier with reference to FIG. 52) it is possible that the reverse istrue, for example:

-   -   Table 1 maps 1 Mb at 0xc0000000 onto 0x00000000    -   Table 2 maps 4 Kb at 0x00042000 onto 0x02042000

Now, a lookup at address 0xc0042010 from the core gives the mapping:

-   -   4 Kb at 0xc0042000 onto 0x02042000    -   i.e. the smaller of the two sizes is always used for the        combined mapping.

Note that in the second case the process is less efficient, since the (1Mb) descriptor in table 1 will be repeatedly looked up and discarded asdifferent 4 Kb areas are accessed. However, in a typical system thetable 2 descriptors will be larger (as in the first example) themajority of the time, which is more efficient (the 1 Mb mapping can berecycled for other 4 Kb pages which point into the appropriate sectionof IA space).

As an alternative to employing two separate MMUs as illustrated in FIGS.50A and 50B, a single MMU can be used as illustrated in FIG. 53, whereupon a miss in the main TLB 2420, an exception is generated by the MMU,which then causes software to be run within the core 10 to produce avirtual to physical address translation based on a combination ofdescriptors from the two different sets of page tables. Moreparticularly, as shown in FIG. 53, the core 10 is coupled to an MMU2400, which includes a micro-TLB 2410 and a main TLB 2420. When the core10 issues a memory access request, the virtual address is provided overpath 2430, and if a hit is observed in the micro-TLB, then thecorresponding physical address is output directly over path 2440,causing the data to be returned over path 2450 into the core 10.However, if there is a miss in the micro-TLB 2410, the main TLB 2420 isreferenced and if the relevant descriptor is contained within the mainTLB the associated virtual address portion and corresponding physicaladdress portion are retrieved into the micro-TLB 2410, whereafter thephysical address can be issued over path 2440. However, if the main TLBalso produces a miss, then an exception is generated over path 2422 tothe core. The process performed within the core from receipt of such anexception will now be described further with reference to FIG. 54.

As shown in FIG. 54, if a TLB miss exception is detected by the core atstep 2500, then the core enters the monitor mode at a predeterminedvector for that exception at step 2510. This will then cause page tablemerging code to be run to perform the remainder of the steps illustratedin FIG. 54.

More particularly, at step 2520, the virtual address that was issuedover path 2430, and that gave rise to the miss in both the micro-TLB2410 and the main TLB 2420 (hereafter referred to as the faultingvirtual address) is retrieved, whereafter at step 2530 the intermediateaddress for the required first descriptor is determined dependent on theintermediate base address for the appropriate table within the first setof tables. Once that intermediate address has been determined (typicallyby some predetermined combination of the virtual address with theintermediate base address), then the relevant table within the secondset of tables is referenced in order to obtain the correspondingphysical address for that first descriptor. Thereafter at step 2550 thefirst descriptor can be fetched from memory in order to enable theintermediate address for the faulting virtual address to be determined.

Then, at step 2560, the second table is again referenced to find asecond descriptor giving the physical address for the intermediateaddress of the faulting virtual address. Thereafter at step 2570, thesecond descriptor is fetched to obtain the physical address for thefaulting virtual address.

Once the above information has been obtained, then the program mergesthe first and second descriptors to generate a new descriptor giving therequired virtual address to physical address translation, this stepbeing performed at step 2580. In a similar manner to that describedearlier with reference to FIG. 50B, the merging performed by thesoftware again uses the smallest page table size for the combinedtranslation. Thereafter, at step 2590, the new descriptor is storedwithin the main TLB 2420, whereafter the process returns from theexception at step 2595.

Thereafter, the core 10 will be arranged to reissue the virtual addressfor the memory access request over path 2430, which will still result ina miss in the micro-TLB 2410, but will now result in a hit in the mainTLB 2420. Hence, the virtual address portion and corresponding physicaladdress portion can be retrieved into the micro-TLB 2410, whereafter themicro-TLB 2410 can then issue the physical address over path 2440,resulting in the required data being returned to the core 10 over path2450.

It will be appreciated that, as alternative embodiments to thosedescribed earlier with reference to FIGS. 50A and 50B, one or both MMUsin those embodiments could be managed by software using the principlesdescribed above with reference to FIGS. 53 and 54.

Irrespective of whether two MMUs are used as shown in FIG. 50A or 50B,or one MMU is used as shown in FIG. 53, the fact that the second set ofpage tables is managed by the processor when operating in monitor mode(or alternatively in a privileged secure mode) ensures that those pagetables are secure. As a result, when the processor is in the non-securedomain it can only see non-secure memory, since it is only theintermediate address space generated for the non-secure domain by thesecond set of page tables that the processor can see when in thenon-secure domain. As a result, there is no need to provide a partitionchecker as part of the memory management logic 30 illustrated in FIG. 1.However, a partition checker would still be provided on the external busto monitor accesses made by other bus masters in the system.

In the embodiments discussed earlier with reference to FIGS. 37 and 38,a partition checker 222 was provided in association with the MMU 200,and accordingly when an access is to be performed in the cache 38, alook-up will have already been performed in the micro-TLB 206 first, andaccordingly access permissions, especially secure and non-securepermissions, would have been checked. Accordingly, in such embodiments,secure data cannot be stored in the cache 38 by non-secure applications.Access to the cache 38 is under the control of the partition checkingperformed by the partition checker 222, and accordingly no access tosecure data can be performed in non-secure mode.

However, in an alternative embodiment of the present invention, apartition checker 222 is not provided for monitoring accesses made overthe system bus 40, and instead the data processing apparatus merely hasa single partition checker coupled to the external bus 70 for monitoringaccesses to memory units connected to that external bus. In suchembodiments, this then means that the processor core 10 can access anymemory units coupled directly to the system bus 40, for example the TCM36 and the cache 38, without those accesses being policed by theexternal partition checker, and accordingly some mechanism is requiredto ensure that the processor core 10 does not access secure data withinthe cache 38 or the TCM 36 whilst operating in a non-secure mode.

FIG. 55 illustrates a data processing apparatus in accordance with oneembodiment of the present invention, where a mechanism is provided toenable the cache 38 and/or the TCM 36 to control accesses made to themwithout the need for any partition checking logic to be provided inassociation with the MMU 200. As shown in FIG. 55, the core 10 iscoupled via an MMU 200 to the system bus 40, the cache 38 and TCM 36also being coupled to the system bus 40. The core 10, cache 38 and TCM36 are coupled via the external bus interface 42 to the external bus 70,which as illustrated in FIG. 55 consists of an address bus 2620, acontrol bus 2630 and a data bus 2640.

The core 10, MMU 200, cache 38, TCM 36 and external bus interface 42 canbe viewed as constituting a single device connected onto the externalbus 70, also referred to as a device bus, and other devices may also becoupled to that device bus, for example the secure peripheral device 470or the non-secure peripheral device 472. Also connected to the devicebus 70 will be one or more memory units, for example the external memory56. In addition, a bus control unit 2650 is connected to the device bus70, and will typically include an arbiter 2652, a decoder 2654 and apartition checker 2656. For a general discussion of the operation of thecomponents connected to the device bus, reference should be made to theearlier described FIG. 47. In the earlier described FIG. 47, thearbiter, decoder and partition checker were shown as separate blocks,but these elements work in the same manner when placed within a singlecontrol block 2650.

The MMU 200 of FIG. 55 is illustrated in more detail in FIG. 56. Bycomparison of FIG. 56 with FIG. 37, it can be seen that the MMU 200 isconstructed in exactly the same way as the MMU of FIG. 37, the onlydifference being that a partition checker 222 is not provided formonitoring data sent over path 242 between the main TLB 208 and themicro-TLB 206. If the processor core 10 issues a memory access requestthat specifies a virtual address, then that memory access request willbe routed through the MMU 200, and will be processed as describedearlier with reference to FIG. 37, resulting in a physical address beingoutput onto the system bus 40 over path 238 from the micro-TLB 206. If,in contrast, the memory access request directly specifies a physicaladdress, this will bypass the MMU 200, and instead will be routeddirectly onto the system bus 40 via path 236. In one embodiment onlywhen the processor is operating in the monitor mode will it generatememory access requests that directly specify physical addresses.

As will be recalled from the earlier description of the MMU 200, and inparticular from the description of FIG. 43, the main TLB 208 willcontain a number of descriptors 435, and for each descriptor a domainflag 425 will be provided to identify whether the correspondingdescriptor is from a secure page table or a non-secure page table. Thesedescriptors 435 and associated domain flags 425 are illustratedschematically within the MMU 200 of FIG. 55.

When the core 10 issues a memory access request, this will result in aphysical address for that memory access request being output on thesystem bus 40 and typically the cache 38 will then perform a look-upprocess to determine whether the data item specified by that address isstored within the cache. Whenever a miss occurs within the cache, i.e.it is determined that the data item subject to the access request is notstored within the cache, a linefill procedure will be initiating by thecache in order to retrieve from the external memory 56 a line of datathat includes the data item the subject of the memory access request. Inparticular, the cache will output via the EBI 42 a linefill request ontothe control bus 2630 of the device bus 70, with a start address beingoutput on the address bus 2620. In addition, an HPROT signal will beoutput over path 2632 onto the control bus 2630, which will include adomain signal specifying the mode of operation of the core at the timethe memory access request was issued. Hence, the linefill process can beviewed as the propagation of the original memory access request onto theexternal bus by the cache 38.

This HPROT signal will be received by the partition checker 2656, andaccordingly will identify to the partition checker whether the devicerequesting the specified data from the external memory 56 (in this casethe device incorporating the core 10 and the cache 38) was operating inthe secure domain or the non-secure domain at the time the memory accessrequest was issued. The partition checker 2656 will also have access tothe partitioning information identifying which regions of memory aresecure or non-secure, and accordingly can determine whether the deviceis allowed to have access to the data it is requesting. Hence, thepartition checker can be arranged to only allow a device to have accessto a secure part of the memory if the domain signal within the HPROTsignal (also referred to herein as an S bit) is asserted to identifythat access to this data was requested by the device whilst operating ina secure mode of operation.

If the partition checker determines that the core 10 is not allowed tohave access to the data requested, for example because the HPROT signalhas identified that the core was operating in a non-secure mode ofoperation, but the linefill request is seeking to retrieve data from theexternal memory that is within a secure region of memory, then thepartition checker 2656 will issue an abort signal onto the control bus2630, which will be passed back over path 2636 to the EBI 42, and fromthere back to the cache 38, resulting in an abort signal being issuedover path 2670 to the core 10. However, if the partition checker 2656determines that the access is allowed, then it will output an S tagsignal identifying whether the data being retrieved from the externalmemory is secure data or non-secure data, and this S Tag signal will bepassed back via path 2634 to the EBI 42, and from there back to thecache 38 to enable setting of the flag 2602 associated with the cacheline 2600 the subject of the linefill process.

At the same time, the control logic 2650 will authorise the externalmemory 56 to output the linefill data requested, this data being passedback via the EBI 42 over path 2680 to the cache 38 for storing in therelevant cache line 2600. Hence, as a result of this process, the chosencache line within the cache 38 will be filled with data items from theexternal memory 56, these data items including the data item that wasthe subject of the original memory access request from the core 10. Thedata item the subject of the memory access request from the core canthen be returned to the core from the cache 38, or alternatively can beprovided directly from the EBI 42 back to the core 10 over path 2660.

Since, in preferred embodiments, the original storage of data in a cacheline will occur as a result of the above described linefill process, theflag 2602 associated with that cache line will be set based on the valueprovided by the partition checker 2656, and that flag can then be usedby the cache 38 to directly control any subsequent access to the dataitems in that cache line 2600. Hence, if the core 10 subsequently issuesa memory access request that produces a hit in a particular cache line2600 of the cache 38, the cache 38 will review the value of theassociated flag 2602, and compare that value with the current mode ofoperation of the core 10. In preferred embodiments, this current mode ofoperation of the core 10 is indicated by a domain bit set by the monitormode within the CP 15 domain status register. Hence, cache 38 can bearranged to only allow data items in a cache line that the correspondingflag 2602 indicates is secure data to be accessed by the processor core10 when the processor core 10 is operating in a secure mode ofoperation. Any attempt by the core to access secure data within thecache 38 whilst the core is operating in a non-secure mode will resultin the cache 38 generating an abort signal over path 2670.

The TCM 36 can be set up in a variety of ways. In one embodiment, it canbe set up to act like a cache, and in that embodiment will be arrangedto include a plurality of lines 2610, each of which has a flag 2612associated therewith in the same way as the cache 38. Accesses to theTCM 36 are then managed in exactly the same way as described earlierwith reference to the cache 38, with any TCM miss resulting in alinefill process being performed, as a result of which data will beretrieved into a particular line 2610, and the partition checker 2656will generate the required S tag value for storing in the flag 2612associated with that line 2610.

In an alternative embodiment, the TCM 36 may be set up as an extensionof the external memory 56 and used to store data used frequently by theprocessor, since access to the TCM via the system bus is significantlyfaster than access to external memory. In such embodiments, the TCM 36would not use the flags 2612, and instead a different mechanism would beused to control access to the TCM. In particular, as described earlier,in such embodiments, a control flag may be provided which is settable bythe processor when operating in a privileged secure mode to indicatewhether the tightly coupled memory is controllable by the processor onlywhen executing in a privileged secure mode or is controllable by theprocessor when executing in the at least one non-secure mode. Thecontrol flag is set by the secure operating system, and in effectdefines whether the TCM is controlled by the privileged secure mode orby non-secure modes. Hence, one configuration that can be defined isthat the TCM is only controlled when the processor is operating in aprivileged secure mode of operation. In such embodiments, any non-secureaccess attempted to the TCM control registers will cause an undefinedinstruction exception to be entered.

In an alternative configuration, the TCM can be controlled by theprocessor when operating in a non-secure mode of operation. In suchembodiments, the TCM is only used by the non-secure applications. Nosecure data can be stored to or loaded from the TCM. Hence, when asecure access is performed, no look-up is performed within the TCM tosee if the address matched the TCM address range.

FIG. 57 is a flow diagram illustrating the processing performed by theapparatus of FIG. 55 when a non-secure program operating on theprocessor core 10 generates a virtual address (step 2700). Firstly, atstep 2705, a look-up is performed within the micro-TLB 206, and if thisresults in a hit, the micro-TLB then checks access permissions at step2730. With reference to FIG. 56, this process can be viewed as beingperformed by the access permission logic 202.

If at step 2705, a miss occurs in the micro-TLB look-up, then a look-upis performed in the main TLB 208 amongst the non-secure descriptorsstored therein (step 2710). If this results in a miss, then a page tablewalk process is performed at step 2715 (which has been discussed indetail previously with reference to FIG. 37), where after at step 2720it is determined that the main TLB contains the valid tagged non-securedescriptor. If the look-up at step 2710 produces a hit, then the processproceeds directly to step 2720.

Thereafter, at step 2725, the micro-TLB is loaded with the section ofthe descriptor which contains the physical address, whereafter at step2730 the micro-TLB checks the access permissions.

If at step 2730, it is determined that there is a violation of theaccess permissions, then the process proceeds to step 2740, where anabort signal is issued over path 230 to the processor core (analogous topath 2670 shown in FIG. 55). However, assuming there is no violationdetected, then at step 2745 it is determined whether the access isrelated to a cacheable data item. If not, then an external access isinitiated at step 2790 to seek to retrieve the data item from theexternal memory 56. At step 2795, the partition checker 2656 willdetermine whether there is a secure partition violation, i.e. if theprocessor core 10 is seeking to access a data item in secure memorywhilst operating in a non-secure mode, and if a violation is detected,then the partition checker 2656 will generate an abort signal at step2775. However, assuming there is no secure partition violation, then theprocess proceeds to step 2785, where the data access takes place.

If at step 2745 it was determined that the data item being requested iscacheable, then a cache look-up is performed at step 2750 within thecache, and if a hit is detected, the cache then determines whether thereis a secure line tag violation at step 2755. Hence, at this stage, thecache will review the value of the flag 2602 associated with the cacheline containing the data item, and will compare the value of that flagwith the mode of operation of the core 10 to determine whether the coreis entitled to access the data item requested. If a secure line tagviolation is detected, then the process proceeds to step 2760, where asecure violation fault abort signal is generated by the cache 38 andissued over path 2670 to the core 10. However, assuming there is nosecure line tag violation detected at step 2755, then the data access isperformed at step 2785.

If when the cache look-up is performed at step 2750 a cache miss occurs,then a cache linefill is initiated at step 2765. At step 2770, thepartition checker 2656 then detects whether there is a secure partitionviolation, and if so issues an abort signal at step 2775. However,assuming there is no secure partition violation detected, then the cachelinefill proceeds at step 2780, resulting in the data access completingat step 2785.

As illustrated in FIG. 57, steps 2705, 2710, 2715, 2720, 2725, 2730 and2735 are performed within the MMU, steps 2745, 2750, 2755, 2765, 2780and 2790 are performed by the cache, and steps 2770 and steps 2795 areperformed by the partition checker.

FIG. 58 is a flow diagram showing the analogous process performed in theevent that a secure program executing on the core generates a virtualaddress (step 2800). By comparison of FIG. 58 with FIG. 57, it will beappreciated that steps 2805 through 2835 performed within the MMU areanalogous to the steps 2705 through 2735 described earlier withreference to FIG. 57. The only difference is at step 2810, where thelook-up performed within the main TLB is performed in relation to anysecure descriptors stored within the main TLB, as a result of which atstep 2820 the main TLB contains valid tagged secure descriptors.

Within the cache, the cache no longer needs to look for any secure linetag violation, since in the embodiment illustrated with reference toFIG. 58, it is assumed that the secure program can access both securedata and non-secure data. Accordingly, if a hit occurs during the cachelook-up at step 2850, then the process proceeds directly to the dataaccess step 2885.

Similarly, in the event that an external access to the external memoryis required (i.e. at steps 2865 or 2890), the partition checker needperform no partition checking, since again it is assumed that the secureprogram can access either secure data or non-secure data.

The steps 2845, 2850, 2865, 2880 and 2890 performed within the cache areanalogous to the steps 2745, 2750, 2765, 2780 and 2790 described earlierwith reference to FIG. 57.

FIG. 59 shows different modes and applications running on a processor.The dashed lines indicate how different modes and/or applications can beseparated and isolated from one another during monitoring of theprocessor according to an embodiment of the present invention.

The ability to monitor a processor to locate possible faults anddiscover why an application is not performing as expected is extremelyuseful and many processors provide such functions. The monitoring can beperformed in a variety of ways including debug and trace functions.

In the processor according to the present technique debug can operate inseveral modes including halt debug mode and monitor debug mode. Thesemodes are intrusive and cause the program running at the time to bestopped. In halt debug mode, when a breakpoint or watchpoint occurs, thecore is stopped and isolated from the rest of the system and the coreenters debug state. On entry the core is halted, the pipeline is flushedand no instructions are pre-fetched. The PC is frozen and any interrupts(IRQ and FIQ) are ignored. It is then possible to examine the coreinternal state (via the JTAG serial interface) as well as the state ofthe memory system. This state is invasive to program execution, as it ispossible to modify current mode, change register contents, etc. OnceDebug is terminated, the core exits from the Debug State by scanning inthe Restart instruction through the Debug TAP (test access port). Thenthe program resumes execution.

In monitor debug mode, a breakpoint or watchpoint causes the core toenter abort mode, taking prefetch or Data Abort vectors respectively. Inthis case, the core is still in a functional mode and is not stopped asit is in Halt debug mode. The abort handler communicates with a debuggerapplication to access processor and coprocessor state or dump memory. Adebug monitor program interfaces between the debug hardware and thesoftware debugger. If bit 11 of the debug status and control registerDSCR is set (see later), interrupts (FIQ and IRQ) can be inhibited. Inmonitor debug mode, vector catching is disabled on Data Aborts andPrefetch Aborts to avoid the processor being forced into anunrecoverable state as a result of the aborts that are generated for themonitor debug mode. It should be noted that monitor debug mode is a typeof debug mode and is not related to monitor mode of the processor whichis the mode that supervises switching between secure world andnon-secure world.

Debug can provide a snapshot of the state of a processor at a certainmoment. It does this by noting the values in the various registers atthe moment that a debug initiation request is received. These values arerecorded on a scan chain (541, 544 of FIG. 67) and they are thenserially output using a JTAG controller (18 or FIG. 1).

An alternative way of monitoring the core is by trace. Trace is notintrusive and records subsequent states as the core continues tooperate. Trace runs on an embedded trace macrocell (ETM) 22, 26 ofFIG. 1. The ETM has a trace port through which the trace information isexported, this is then analysed by an external trace port analyser.

The processor of embodiments of the present technique operates in twoseparate domains, in the embodiments described these domains comprisesecure and non-secure domains. However, for the purposes of themonitoring functions, it will be clear to the skilled person that thesedomains can be any two domains between which data should not leak.Embodiments of the present technique are concerned with preventingleakage of data between the two domains and monitoring functions such asdebug and trace which are conventionally allowed access to the wholesystem are a potential source of data leakage between the domains.

In the example given above of a secure and non-secure domain or world,secure data must not be available to the non-secure world. Furthermore,if debug is permitted, in secure world, it may be advantageous for someof the data within secure world to be restricted or hidden. The hashedlines in FIG. 59 shows some examples of possible ways to segment dataaccess and provide different levels of granularity. In FIG. 59, monitormode is shown by block 500 and is the most secure of all the modes andcontrols switching between secure and non-secure worlds. Below monitormode 500 there is a supervisor mode, this comprises secure supervisormode 510 and non-secure supervisor mode 520. Then there is non-secureuser mode having applications 522 and 524 and secure user mode withapplications 512, 514 and 516. The monitoring modes (debug and trace)can be controlled to only monitor non-secure mode (to the left of hashedline 501). Alternatively the non-secure domain or world and the secureuser mode may be allowed to be monitored (left of 501 and the portionright of 501 that lies below 502). In a further embodiment thenon-secure world and certain applications running in the secure userdomain may be allowed, in this case further segmentation by hashed lines503 occurs. Such divisions help prevent leakage of secure data betweendifferent users who may be running the different applications. In somecontrolled cases monitoring of the entire system may be allowed.According to the granularity required the following parts of the coreneed to have their access controlled during monitoring functions.

There are four registers that can be set on a Debug event; theinstruction Fault Status Register (IFSR), Data Fault Status Register(DFSR), Fault Address Register (FAR), and Instruction Fault AddressRegister (IFAR). These registers should be flushed in some embodimentswhen going from secure world to non-secure world to avoid any leak ofdata.

PC sample register: The Debug TAP can access the PC through scan chain7. When debugging in secure world, that value may be masked depending onthe debug granularity chosen in secure world. It is important thatnon-secure world, or non-secure world plus secure user applicationscannot get any value of the PC while the core is running in the secureworld.

TLB entries: Using CP15 it is possible to read micro TLB entries andread and write main TLB entries. We can also control main TLB and microTLB loading and matching. This kind of operation must be strictlycontrolled, particularly if secure thread-aware debug requiresassistance of the MMU/MPU.

Performance Monitor Control register: The performance control registergives information on the cache misses, micro TLB misses, external memoryrequests, branch instruction executed, etc. Non-secure world should nothave access to this data, even in Debug State. The counters should beoperable in secure world even if debug is disabled in secure world.

Debugging in cache system: Debugging must be non-intrusive in a cachedsystem. It is important is to keep coherency between cache and externalmemory. The Cache can be invalidated using CP15, or the cache can beforced to be write-through in all regions. In any case, allowing themodification of cache behaviour in debug can be a security weakness andshould be controlled.

Endianness: Non-secure world or secure user applications that can accessto debug should not be allowed to change endianness. Changing theendianness could cause the secure kernel to malfunction. Endiannessaccess is prohibited in debug, according to the granularity.

Access of the monitoring functions to portions of the core can becontrolled at initiation of the monitoring function. Debug and trace areinitialised in a variety of ways. Embodiments of the present techniquecontrol the access of the monitoring function to certain secure portionsof the core by only allowing initialisation under certain conditions.

Embodiments of the present technique seek to restrict entry intomonitoring functions with the following granularity:

-   -   By controlling separately intrusive and observable (trace)        debug;    -   By allowing debug entry in secure user mode only or in the whole        secure world;    -   By allowing debug in secure user mode only and moreover taking        account of the thread ID (application running).

In order to control the initiation of a monitoring function it isimportant to be aware of how the functions can be initiated. FIG. 60shows a table illustrating the possible ways of initiating a monitoringfunction, the type of monitoring function that is initiated and the waythat such an initiation instruction can be programmed.

Generally, these monitoring instructions can be entered via software orvia hardware, i.e. via the JTAG controller. In order to control theinitiation of monitoring functions, control values are used. Thesecomprise enable bits which are condition dependent and thus, if aparticular condition is present, monitoring is only allowed to start ifthe enable bit is set. These bits are stored on a secure register CP14(debug and status control register, DSCR), which is located in ICE 530(see FIG. 67).

In a preferred embodiment there are four bits that enable/disableintrusive and observable debug, these comprise a secure debug enablebit, a secure trace enable bit, a secure user-mode enable bit and asecure thread aware enable bit. These control values serve to provide adegree of controllable granularity for the monitoring function and assuch can help stop leakage of data from a particular domain. FIG. 61provides a summary of these bits and how they can be accessed.

These control bits are stored in a register in the secure domain andaccess to this register is limited to three possibilities. Softwareaccess is provided via ARM coprocessor MRC/MCR instructions and theseare only allowed from the secure supervisor mode. Alternatively,software access can be provided from any other mode with the use of anauthentication code. A further alternative relates more to hardwareaccess and involves the instructions being written via an input port onthe JTAG. In addition to being used to input control values relating tothe availability of monitoring functions, this input port can be used toinput control values relating to other functions of the processor.

Further details relating to the scan chain and JTAG are given below.

Register Logic Cell

Every integrated circuit (IC) consists of two kind of logic:

-   -   Combinatory logic cells; like AND, OR, INV gates. Such gates or        combination of such gates is used to calculate Boolean        expressions according to one or several input signals.    -   Register logic cells; like LATCH, FLIP-FLOP. Such cells are used        to memorize any signal value. FIG. 62 shows a positive-edge        triggered FLIP-FLOP view:

When positive-edge event occurs on the clock signal (CK), the output (Q)received the value of the input (D); otherwise the output (Q) keeps itsvalue in memory.

Scan Chain Cell

For test or debug purpose, it is required to bypass functional access ofregister logic cells and to have access directly to the contents of theregister logic cells. Thus register cells are integrated in a scan chaincell as shown in FIG. 63.

In functional mode, SE (Scan Enable) is clear and the register cellworks as a single register cell. In test or debug mode, SE is set andinput data can come from SI input (Scan In) instead of D input.

Scan Chain

All scan chain cells are chained in scan chain as shown in FIG. 64.

In functional mode, SE is clear and all register cells can be accessednormally and interact with other logic of the circuit. In Test or Debugmode, SE is set and all registers are chained between each other in ascan chain. Data can come from the first scan chain cell and can beshifted through any other scan chain cell, at the cadence of each clockcycle. Data can be shifted out also to see the contents of theregisters.

TAP Controller

A debug TAP controller is used to handle several scan chains. The TAPcontroller can select a particular scan chain: it connects “Scan In” and“Scan Out” signals to that particular scan-chain. Then data can bescanned into the chain, shifted, or scanned out. The TAP controller iscontrolled externally by a JTAG port interface. FIG. 65 schematicallyillustrates a TAP controller.

JTAG Selective Disable Scan Chain Cell

For security reasons, some registers might not be accessible by scanchain, even in debug or test mode. A new input called JADI (JTAG AccessDisable) can allow removal dynamically or statically of a scan chaincell from a whole scan chain, without modifying the scan chain structurein the integrated circuit. FIGS. 66A and B schematically show thisinput.

If JADI is inactive (JADI=0), whether in functional or test or debugmode, the scan chain works as usual. If JADI is active (JADI=1), and ifwe are in test or debug mode, some scan chain cells (chosen bydesigner), may be “removed” from the scan chain structure. In order tokeep the same number of scan-chain cell, the JTAG Selective Disable ScanChain Cell use a bypass register. Note that Scan Out (SO) and scan chaincell output (Q) are now different.

FIG. 67 schematically shows the processor including parts of the JTAG.In normal operation instruction memory 550 communicates with the coreand can under certain circumstances also communicate with register CP14and reset the control values. This is generally only allowable fromsecure supervisor mode.

When debug is initiated instructions are input via debug TAP 580 and itis these that control the core. The core in debug runs in a step by stepmode. Debug TAP has access to CP14 via the core (in dependence upon anaccess control signal input on the JSDAEN pin shown as JADI pin, JTAGACCESS DISABLE INPUT in FIG. 45) and the control values can also bereset in this way.

Access to the CP14 register via debug TAP 580 is controlled by an accesscontrol signal JSDAEN. This is arranged so that in order for access andin particular write access to be allowed JSDAEN must be set high. Duringboard stage when the whole processor is being verified, JSDAEN is sethigh and debug is enabled on the whole system. Once the system has beenchecked, the JSDAEN pin can be tied to ground, this means that access tothe control values that enable debug in secure mode is now not availablevia Debug TAP 580. Generally processors in production mode have JSDAENtied to ground. Access to the control values is thus, only available viathe software route via instruction memory 550. Access via this route islimited to secure supervisor mode or to another mode provided anauthentication code is given (see FIG. 68).

It should be noted that by default debug (intrusive andobservable—trace) are only available in non-secure world. To enable themto be available in secure world the control value enable bits need to beset.

The advantages of this are that debug can always be initiated by usersto run in non-secure world. Thus, although access to secure world is notgenerally available to users in debug this may not be a problem in manycases because access to this world is limited and secure world has beenfully verified at board stage prior to being made available. It istherefore foreseen that in many cases debugging of the secure world willnot be necessary. A secure supervisor can still initiate debug via thesoftware route of writing CP14 if necessary.

FIG. 68 schematically shows the control of debug initialisation. In thisFigure a portion of the core 600 comprises a storage element 601 (whichmay be a CP15 register as previously discussed) in which is stored asecure status bit S indicative of whether the system is in secure worldor not. Core 600 also comprises a register 602 comprising bitsindicative of the mode that the processor is running in, for exampleuser mode, and a register 603 providing a context identifier thatidentifies the application or thread that is currently running on thecore.

When a breakpoint is reached comparator 610, which compares a breakpointstored on register 611 with the address of the core stored in register612, sends a signal to control logic 620. Control logic 620 looks at thesecure state S, the mode 602 and the thread (context identifier) 603 andcompares it with the control values and condition indicators stored onregister CP14. If the system is not operating in secure world, then a“enter debug” signal will be output at 630. If however, the system isoperating in secure world, the control logic 620 will look at the mode602, and if it is in user mode will check to see if user mode enable anddebug enable bits are set. If they are then debug will be initialisedprovided that a thread aware bit has not been initialised. The aboveillustrates the hierarchical nature of the control values.

The thread aware portion of the monitoring control is also shownschematically in FIG. 68 along with how the control value stored inregister CP14 can only be changed from secure supervisor mode (in thisembodiment the processor is in production stage and JSDAEN is tied toground). From a secure user mode, secure supervisor mode can be enteredusing an authentication code and then the control value can be set inCP14.

Control logic 620 outputs an “enter debug” signal when addresscomparator 610 indicates that a breakpoint has been reached providedthread comparator 640 shows that debug is allowable for that thread.This assumes that the thread aware initialisation bit is set in CP14. Ifthe thread aware initialisation bit is set following a breakpoint, debugor trace can only be entered if address and context identifiers matchthose indicated in the breakpoint and in the allowable thread indicator.Following initiation of a monitoring function, the capture of diagnosticdata will only continue while the context identifier is detected bycomparator 640 as an allowed thread. When a context identifier showsthat the application running is not an allowed one, then the capture ofdiagnostic data is suppressed.

It should be noted that in the preferred embodiment, there is somehierarchy within the granularity. In effect the secure debug or traceenable bit is at the top, followed by the secure user-mode enable bitand lastly comes the secure thread aware enable bit. This is illustratedin FIGS. 69A and 69B (see below).

The control values held in the “Debug and Status Control” register(CP14) control secure debug granularity according to the domain, themode and the executing thread. It is on top of secure supervisor mode.Once the “Debug and Status Control” register CP14 is configured, it's upto secure supervisor mode to program the corresponding breakpoints,watchpoints, etc to make the core enter Debug State.

FIG. 69A shows a summary of the secure debug granularity for intrusivedebug. Default values at reset are represented in grey colour.

It is the same for debug granularity concerning observable debug. FIG.69B shows a summary of secure debug granularity in this case, heredefault values at reset are also represented in grey colour.

Note that Secure user-mode debug enable bit and Secure thread-awaredebug enable bit are commonly used for intrusive and observable debug.

A thread aware initialisation bit is stored in register CP14 andindicates if granularity by application is required. If the thread awarebit has been initialised, the control logic will further check that theapplication identifier or thread 603 is one indicated in the threadaware control value, if it is, then debug will be initialised. If eitherof the user mode or debug enable bits are not set or the thread awarebit is set and the application running is not one indicated in thethread aware control value, then the breakpoint will be ignored and thecore will continue doing what it was doing and debug will not beinitialised.

In addition to controlling initialisation of monitoring functions, thecapture of diagnostic data during a monitor function can also becontrolled in a similar way. In order to do this the core must continueto consider both the control values, i.e. the enable bits stored inregister CP14 and the conditions to which they relate during operationof the monitoring function.

FIG. 70 shows schematically granularity of a monitoring function whileit is running. In this case region A relates to a region in which it ispermissible to capture diagnostic data and region B relates to region inwhich control values stored in CP14 indicate that it is not possible tocapture diagnostic data.

Thus, when debug is running and a program is operating in region A,diagnostic data is output in a step-by-step fashion during debug. Whenoperation switches to Region B, where the capture of diagnostic data isnot allowed, debug no longer proceeds in a step by step fashion, ratherit proceeds atomically and no data is captured. This continues untiloperation of the program re-enters region A whereupon the capture ofdiagnostic data starts again and debug continues running in astep-by-step fashion.

In the above embodiment, if secure domain is not enabled, a SMIinstruction is always seen as an atomic event and the capture ofdiagnostic data is suppressed.

Furthermore, if the thread aware initialisation bit is set thengranularity of the monitoring function during operation with respect toapplication also occurs.

With regard to observable debug or trace, this is done by ETM and isentirely independent of debug. When trace is enabled ETM works as usualand when it is disabled, ETM hides trace in the secure world, or part ofthe secure world depending on the granularity chosen. One way to avoidETM capturing and tracing diagnostic data in the secure domain when thisis not enabled is to stall ETM when the S-bit is high. This can be doneby combining the S-bit with the ETMPWRDOWN signal, so that the ETMvalues are held at their last values when the core enters secure world.The ETM should thus trace a SMI instruction and then be stalled untilthe core returns to non-secure world. Thus, the ETM would only seenon-secure activity.

A summary of some of the different monitoring functions and theirgranularity is given below.

Intrusive Debug at Board Stage

At board stage when the JSDAEN pin is not tied, there is the ability toenable debug everywhere before starting any boot session. Similarly, ifwe are in secure supervisor mode we have similar rights.

If we initialise debug in halt debug mode all registers are accessible(non-secure and secure register banks) and the whole memory can bedumped, except the bits dedicated to control debug.

Debug halt mode can be entered from whatever mode and from whateverdomain. Breakpoints and watchpoints can be set in secure or innon-secure memory. In debug state, it is possible to enter secure worldby simply changing the S bit via an MCR instruction.

As debug mode can be entered when secure exceptions occur, the vectortrap register is extended with new bits which are;

-   -   SMI vector trapping enable    -   Secure data abort vector trapping enable    -   Secure prefetch abort vector trapping enable    -   Secure undefined vector trapping enable.

In monitor debug mode, if we allow debug everywhere, even when an SMI iscalled in non-secure world, it is possible to enter secure world instep-by-step debug. When a breakpoint occurs in secure domain, thesecure abort handler is operable to dump secure register bank and securememory.

The two abort handlers in secure and in non-secure world give theirinformation to the debugger application so that debugger window (on theassociated debug controlling PC) can show the register state in bothsecure and non-secure worlds.

FIG. 71A shows what happens when the core is configured in monitor debugmode and debug is enabled in secure world. FIG. 71B shows what happenswhen the core is configured in monitor debug mode and the debug isdisabled in secure world. This later process will be described below.

Intrusive Debug at Production Stage

In production stage when JSDAEN is tied and debug is restricted tonon-secure world, unless the secure supervisor determines otherwise,then the table shown in FIG. 71B shows what happens. In this case SMIshould always be considered as an atomic instruction, so that securefunctions are always finished before entering debug state.

Entering debug halt mode is subject to the following restrictions:

External debug request or internal debug request is taken into accountin non-secure world only. If EDBGRQ (external debug request) is assertedwhile in secure world, the core enters debug halt mode once securefunction is terminated and the core is returned in non-secure world.

Programming a breakpoint or watchpoint on secure memory has no effectand the core is not stopped when the programmed address matches.

Vector Trap Register (details of this are given below) concernsnon-secure exceptions only. All extended trapping enable bits explainedbefore have no effect.

Once in halt debug mode the following restrictions apply:

S bit cannot be changed to force secure world entry, unless secure debugis enabled.

Mode bits can not be changed if debug is permitted in secure supervisormode only.

Dedicated bits that control secure debug cannot be changed.

If a SMI is loaded and executed (with system speed access), the corere-enters debug state only when secure function is completely executed.

In monitor debug mode because monitoring cannot occur in secure world,the secure abort handler does not need to support a debug monitorprogramme. In non secure world, step-by-step is possible but whenever anSMI is executed secure function is executed entirely in other words anXWSI only “step-over” is allowed while “step-in” and “step-over” arepossible on all other instructions. XWSI is thus considered an atomicinstruction.

Once secure debug is disabled, we have the following restrictions:

Before Entering Monitor Mode:

Breakpoints and watchpoints are only taken into account in non-secureworld. If bit S is set, breakpoints/watchpoints are bypassed. Note thatwatchpoints units are also accessible with MCR/MRC (CP14) which is not asecurity issue as breakpoint/watchpoint has no effect in secure memory.

BKPT are normally used to replace the instruction on which breakpoint isset. This supposes to overwrite this instruction in memory by BKPTinstruction, which will be possible only in non-secure mode.

Vector Trap Register concerns non-secure exceptions only. All extendedtrapping enable bits explained before have no effect. Data abort andPre-fetch abort enable bits should be disabled to avoid the processorbeing forced in to an unrecoverable state.

Via JTAG, we have the same restrictions as for halt mode (S bit cannotbe modified, etc)

Once in Monitor Mode (Non-Secure Abort Mode)

The non-secure abort handler can dump non-secure world and has novisibility on secure banked registers as well as secure memory.

Executes secure functions with atomic SMI instruction

S bit cannot be changed to force secure world entry.

Mode bits can not be changed if debug is permitted in secure supervisormode only.

Note that if an external debug request (EDBGRQ) occurs,

In non-secure world, the core terminates the current instruction andenters then immediately debug state (in halt mode).

In secure world, the core terminates the current function and enters theDebug State when it has returned in non-secure world.

The new debug requirements imply some modifications in core hardware.The S bit must be carefully controlled, and the secure bit must not beinserted in a scan chain for security reason.

In summary, in debug, mode bits can be altered only if debug is enabledin secure supervisor mode. It will prevent anybody that has access todebug in the secure domain to have access to all secure world byaltering the system (modifying TBL entries, etc). In that way eachthread can debug its own code, and only its own code. The secure kernelmust be kept safe. Thus when entering debug while the core is running innon-secure world, mode bits can only be altered as before.

Embodiments of the technique use a new vector trap register. If one ofthe bits in this register is set high and the corresponding vectortriggers, the processor enters debug state as if a breakpoint has beenset on an instruction fetch from the relevant exception vector. Thebehaviour of these bits may be different according to the value of‘Debug in Secure world Enable’ bit in debug control register.

The new vector trap register comprises the following bits: D_s_abort.P_s_abort, S_undef, SMI, FIQ, IRQ, Unaligned, D_abort, P_abort, SWI andUndef.

-   -   D_S_abort bit: should only be set when debug is enabled in        secure world and when debug is configured in halt debug mode. In        monitor debug mode, this bit should never bit set. If debug in        secure world is disabled, this bit has no effect whatever its        value.    -   P_s abort bit: same as D_s abort bit.    -   S_undef bit: should only be set when debug is enable in secure        world. If debug in secure world is disabled, this bit has no        effect whatever its value is.    -   SMI bit: should only be set when debug is enabled in secure        world. If debug in secure world is disabled, this bit has no        effect whatever its value is.    -   FIQ, IRQ, D_abort, P_abort, SWI, undef bits: correspond to        non-secure exceptions, so they are valid even if debug in secure        world is disabled. Note that D_abort and P_abort should not be        asserted high in monitor mode.    -   Reset bit: as we enter secure world when reset occurs, this bit        is valid only when debug in secure world is enabled, otherwise        it has no effect.

As described earlier in the description, a device bus may have a numberof master devices and slave devices attached thereto. For example, withregards to FIG. 48, two master devices 470, 472 are shown connected to adevice bus to which are also connected a number of slave devices 480,484, 474, each of these slave devices having an address range associatedtherewith identifying the data storage locations within those slavedevices. As shown in FIG. 48, the screen driver 480 and the I/Ointerface 484 will typically have registers or buffers 482, 486,respectively therein in which data can be stored, and in addition thememory device 474 will clearly contain a range of memory locations forthe storage of data.

As also shown in FIG. 48, a domain signal, also referred to herein as anS-bit signal, can be arranged to be issued by a master device whenissuing an access request, to identify whether that access request is asecure access request or a non-secure access request. Data stored withinthe various slave devices can be classified as secure data or non-securedata, and it is important to ensure that a non-secure access requestcannot access secure data.

FIG. 72 is a block diagram of a data processing apparatus in accordancewith one embodiment, where additional logic is associated with a slavedevice in order to ensure that such non-secure access requests do notobtain access to secure data stored within the slave device. In theexample illustrated in FIG. 72, the slave device takes the form of anon-chip memory 5050, access to which is controlled by a memory interface5040. However, it will be appreciated that in alternative embodimentsthe slave device could be any other slave device within the apparatus,for example the screen driver 480 or the I/O interface 484 discussedearlier with reference to FIG. 48.

A master device 5000 is able to issue via a bus infrastructure 5010 anaccess request identifying a sequence of addresses to which that accessrequest pertains. As discussed earlier, each slave device within theapparatus will have an address range associated therewith. In oneembodiment of the present invention, high order address bit decoding isperformed within the on-chip bus infrastructure 5010 such that adetermination as to the target slave device for any particular accessrequest can be made based on the sequence of addresses identified bythat access request. Assuming the access request is directed towards theon-chip memory 5050, this will cause the bus infrastructure 5010 toroute the access request from the master device 5000 to a slaveinterface of the on-chip memory adapter 5020 associated with the on-chipmemory 5050.

The operation of the on-chip memory adapter 5020 will be discussed inmore detail later. However, in brief, the adapter 5020 determineswhether the sequence of addresses identified by the access request atleast partly lies within a secure memory region of the on-chip memory5050, or whether instead the sequence of addresses lie entirely within anon-secure memory region of the on-chip memory. If the sequence ofaddresses map entirely to a non-secure region, or map at least partly toa secure region in a situation where the access request is identified byits associated S-bit as being a secure access, then the access requestis routed from the slave interface of the on-chip memory adapter 5020 toa master interface of the on-chip memory adapter 5020. From here, theaccess request can be routed on to the memory interface 5040 to causethe required access to take place with respect to the on-chip memory5050.

However, if the on-chip memory adapter 5020 determines that sequence ofaddresses map at least partly to a secure region and the S-bitassociated with the access request indicates that the access isnon-secure, then the transfer is not routed to the master interface ofthe on-chip memory adapter 5020, and instead is rejected by signallingan error response from the slave interface of the on-chip memory adapter5020.

The mapping function performed by the on-chip memory adapter 5020 inorder to determine whether access to a secure region is being sought isconfigured by means of input signals received from a protectioncontroller 5030. In particular, in one embodiment as shown in FIG. 74, asingle secure region 5200 within the address range associated with theon-chip memory 5050 starts at a base address 5240 of that address rangeand continues to an address offset that is determined by the inputsignals received from the protection controller 5030, and identifies apartition 5250 between the secure memory region and an adjacentnon-secure memory region. As will be discussed later, the input signalsfrom the protection controller 5030 can define this partition 5250 in aconfigurable manner, and in one embodiment can define the partition tobe one of a number of discrete locations within the address range. Inone particular embodiment, the location of the partitions is defined byan offset equal to a certain integral number of 4 KB steps relative tothe base address 5240.

A non-secure region 5210 then exists from the end of the secure region5200 up to the final physical memory address 5260 of the memory, thistypically being configured at HDL (Hardware Description Language)compile time, for example by a verilog parameter.

In order to control aliasing effects a third region 5230, to which noaccess is permitted, exists from the end of the non-secure region 5210to the end of the address decode range 5270 occupied by the on-chipmemory adapter 5020 associated with the on-chip memory 5050. It ispermissible for any of these three regions to have zero size.

As shown in FIG. 73, the protection controller 5030 containssoftware-programmable registers 5120, which can be used to store anumber of different parameters used to control protection featuresprovided within the data processing apparatus. One of these registers isused in embodiments of the present invention to store a value, referredto in FIG. 73 as R0SIZE, which specifies an offset relative to the baseaddress 5240 used to determine the location of the partition 5250between the secure region 5200 and the non-secure region 5210.

The protection controller 5030 is configured so that the data valuesheld within the registers 5120 can only be altered by software executingin a secure mode of operation on one of the devices of the dataprocessing apparatus. Hence, as an example, software executing in asecure mode on the master device 5000 may be arranged to issue a secureaccess request to the protection controller 5030, that access requestspecifying as its address an address which maps to the register withinthe protection controller containing the value R0SIZE. In associationwith that address, write data can be issued as part of the accessrequest identifying a new value for R0SIZE to be stored within theappropriate register. The address will be received by decode logic 5100,where it will be decoded to produce a control signal used to control thedemultiplexer 5110. Hence, in the event that the address specifies theaddress of the register containing the value of R0SIZE, then thiscontrol signal will cause the demultiplexer 5110 to route the incomingwrite data to that particular register to cause the value of R0SIZE tobe updated. The new value of R0SIZE is then output over path 5130 to theon-chip memory adapter 5020, this value also being referred to herein asthe secure region size value.

Hence it can be seen that by providing a configurable register withinthe protection controller for the storage of the secure region sizevalue, secure software such as a secure operating system can configurethe partition between secure and non-secure regions of the memory 5050.

The manner in which this configurable secure region size value is usedby the on-chip memory adapter 5020 to control access to the on-chipmemory 5050 will now be described in more detail with reference to FIG.75. In one embodiment, the bus infrastructure 5010 provides a number ofunidirectional channels over which transactions can be routed. Atransaction will be initiated by a master device 5000, and will involvean access request being issued by the master device 5000 onto the businfrastructure 5010. In particular, certain signals will be issuedwithin an address channel of the bus infrastructure, these signals beingillustrated schematically in FIG. 75. As can be seen from that figure,an address signal 5330 identifying a start address, an S-bit signal 5340identifying whether the transaction is secure or non-secure, and variousother control signals 5320 will be routed via the address channel toinputs of the memory interface 5040. The address signal 5330 and S-bitsignal 5340 will also be routed as inputs to the on-chip memory adapter5020.

The other control signals may include a length control signalidentifying the number of transfers in the transaction, and a transfersize control signal identifying the number of bytes accessed at eachaddress, these signals hence identifying in combination with the addresssignal 5330 the sequence of addresses the subject of the transaction.However, as will be discussed later, the partition between the secureand non-secure regions, and the selection of the address sequence forany particular transaction, are constrained such that the on-chip memoryadaptor only needs to analyse the start address in order to determinewhether the sequence of addresses will be within the secure region orthe non-secure region.

A further signal provided within the address channel is a valid signal5350, which specifies whether the other signals within the addresschannel should be considered as valid or not. A slave device will onlyprocess the signals it receives within the address channel if the validsignal is asserted.

Although not shown in FIG. 75, it will be appreciated that in additionto the address channel, there will also be other channels used for thetransaction. For example, in the event of a write transaction, a writedata channel will be used for routing write data from the master deviceto the memory interface, and in the invent of a read transaction, a readdata channel will be provided for enabling any data read from memory asa result of the read access request to be returned to the master deviceover that read data channel.

As shown in FIG. 75, a multiplexer 5310 is provided within the on-chipmemory adapter 5020 for receiving the valid signal 5350 issued by themaster device, the multiplexer 5310 also receiving as a second input alogic zero value. In this embodiment it is considered that the validsignal is asserted when it has a logic 1 value, and is consideredde-asserted if it has a logic zero value. The multiplexer 5310 isarranged to output a new valid signal 5360, also referred to herein as areplacement valid signal, to the memory interface 5040, with theoperation of the multiplexer 5310 being controlled dependent on a signaloutput by the determination logic 5300.

As shown in FIG. 75, the determination logic 5210 is arranged to receivethe address signal 5330, the S-bit signal 5340 and the secure regionsize signal 5130 output by the protection controller 5030. As will bediscussed in more detail later with reference to FIG. 76, thedetermination logic 5300 is also aware of the overall physical memorysize of the associated on-chip memory 5050, and accordingly is aware ofthe location of the physical memory final address 5260 illustratedearlier in FIG. 74. Based on these input signals, the determinationlogic 5300 determines whether the address signal 5330 identifies anaddress which is within the physical memory size, and if it is withinthe physical memory size further determines whether the address fallswithin the secure region 5200 or the non-secure region 5210. If theaddress is outside of the physical memory size of the on-chip memoryregion, then the transaction is determined to be illegal and a controlsignal is issued to the multiplexer 5310 to cause that multiplexer tooutput a logic zero value as the replacement valid signal 5360, therebycausing the memory interface 5040 to not process the memory accessrequest.

Similarly, if it is determined that the address is within the physicalmemory address size, and is contained within the secure region 5200,then the transaction will be determined to be illegal if the value ofthe S-bit signal indicates that the access request is a non-secureaccess request, and this again will cause the multiplexer 5310 to outputa logic zero value as the replacement valid signal 5360. However, if itis determined that the address is within the physical memory addresssize, and is either within the non-secure region, or is within thesecure region and the transaction is confirmed by the S-bit signal asbeing a secure transaction, then the transaction is determined to belegal, and a control signal will be issued to the multiplexer 5310 tocause it to output as the replacement valid signal 5360 the valid signalreceived over path 5350 from the master device 5000.

The logic that may be used to perform the above described operations ofthe determination logic 5300 in accordance with one embodiment isillustrated in FIG. 76. In this embodiment, it is assumed that the S-bithas a value of zero if the transaction is secure and a value of 1 if thetransaction is non-secure. It will be appreciated that in alternativeembodiments the meanings of the values given to the S-bit signal couldbe reversed.

The comparator 5400 is arranged to determine whether the physical memoryfinal address 5260 is greater than or equal to the transaction addressreceived over path 5330, and if it is this will result in a logic 1signal being issued at the output of the comparator 5400 to one input ofAND gate 5430. Similarly, the comparator 5410 is arranged to determinewhether the transaction address is greater than the secure region finaladdress value 5250 identifying the extent of the secure region, and ifit is this will result in a logic 1 value being output from thecomparator 5410. As a result, it can be seen that if the transactionaddress is less than or equal to the physical memory final address, andis determined to be within the non-secure region, then this will resultin logic 1 signals being output from both comparators 5400, 5410.Accordingly, the output from OR gate 5420 will be a logic 1 valueirrespective of the value of the S-bit and hence the output from the ANDgate 5430 will be a logic 1 value, indicating that the transaction islegal.

However, if the output from the comparator 5410 is a logic zero value,indicating that the transaction address is within the secure region,then the output from the OR gate 5420 will only be at a logic 1 value ifthe S-bit is set to zero, the value of the S-bit being inverted prior toinput to the OR gate 5420. Hence, if the transaction address is withinthe physical memory size, and is within the secure region, but the S-bitindicates that the transaction is secure, then again this will cause alogic 1 value to output from the AND gate 5430 to indicate that thetransaction is legal.

However, conversely it will be seen that if the transaction address isin excess of the physical memory final address, then this will cause alogic zero value to be output from the comparator 5400, which will causea logic zero value to be output from the AND gate 5430 to indicate thetransaction is illegal. Similarly, if the output from the comparator5410 is a logic zero value, indicating that the transaction address iswithin the secure region 5200, and the S-bit is set to a logic 1 valueindicating that the transaction is non-secure, this will cause a logiczero value to be output from the OR gate 5420, which will again cause alogic zero value to be output from the AND gate 5430, indicating thatthe transaction is illegal.

FIG. 77 is a flow diagram illustrating the operations performed by theon-chip memory adapter 5020 in accordance with one embodiment of thepresent invention. At step 5500 it is determined whether a valid addresshas been received by the on-chip memory adapter 5020, and if not nofurther processing is required. When at step 5500 it is determined thata valid address has been received, the process proceeds to step 5510where it is determined whether the address falls within the physicalmemory size of the on-chip memory. If it does not, then the processproceeds directly to step 5550 where the transaction is determined to beinvalid. As mentioned earlier with reference to FIG. 75, this will causethe memory interface 5040 to be provided with a de-asserted validsignal, and accordingly the memory interface will take no action withregards to the request. Nevertheless, the protocol specified in relationto the bus infrastructure 5010 may require a certain response to beissued in reply to the access request in order to satisfy the protocol.If this is required, then at step 5550, the transaction can be routed toa default slave device in order to cause default signals to be generatedas required in order to satisfy the bus protocol. For example, in theevent of a read access request, the default slave may generate a defaultread response and dummy read data over the read data channel to bereturned to the master device. Similarly, in the event of a write accessrequest, the default slave may generate any required write response.

If at step 5510 it is determined that the address does fall within thephysical memory size, then the process proceeds to step 5520, where itis determined whether the address falls within the secure memory region.If not, then the process proceeds directly to step 5540, where it isdetermined that the transaction is valid, and accordingly the necessarysignals are routed to the slave device, in this instance to the memoryinterface 5040. As discussed earlier with reference to FIG. 75, in oneembodiment all of the relevant signals are routed by default to thememory interface, and it is just the valid signal that is manipulated bythe on-chip memory adaptor. Accordingly, at step 5540, the valid signalpropagated over path 5360 is selected to be the valid signal as receivedover path 5350.

If at step 5520 it is determined that the address does fall within thesecure memory region, then an additional check is necessary to determineat step 5530 whether the access request is secure. If it is, then theprocess proceeds to step 5540 where it is determined that thetransaction is valid, whereas if the access request is not secure, theprocess proceeds to step 5550, where the transaction is determined to beinvalid.

As will be appreciated form the earlier description of FIG. 76, thelogic will be arranged such that several of the steps identified in FIG.77 are actually performed in parallel. For example, steps 5510 and 5520will be performed in parallel by the comparators 5400, 5410.

The reference to the address compared at steps 5510 and 5520 will in thegeneral case be a reference to the sequence of addresses specified bythe transaction. In the general case, it will be necessary to compareboth the transaction start address and the transaction end address,which is calculated using the transaction start address, a lengthcontrol signal identifying the number of transfers in the transaction,and a transfer size control signal identifying the number of bytesaccessed at each address. However, in one particular embodiment of thepresent invention, it is only necessary to compare the start address,because the protocol specified in connection with the bus infrastructuresets a minimum granularity for the region partition, and a restrictionon the choice of addresses forming the address sequence of thetransaction, which ensures that if the start address is within oneparticular region, then all other addresses within the transaction willalso be within that region. More particularly, in one embodiment, asdiscussed earlier, the offset specified with regard to the base address5240 in order to determine the location of the partition 5250 betweenthe secure region and the non-secure region can only be specified inblocks of four kilobytes (4 KB). Further, the bus protocol of the businfrastructure 5010 restricts any transaction to identify a sequence ofaddresses which also lies within such four kilobyte blocks. Hence, ifthe start address is determined to be within the non-secure region 5210,then it can be ensured that all of the other addresses within thesequence of addresses of the transaction are also with the non-secureregion, and similarly if the start address is within the secure region5200, it can be ensured that the other addresses within the sequence ofaddresses specified by the transaction are also within the secure region5200.

From the above description of an embodiment of the present invention, itcan be seen that such embodiments address the problem of efficient useof on-chip memory in a system-on-chip where some of the memory may berequired to be access controlled, by partitioning the memory into accesscontrolled and non-access controlled regions, and allowing the positionof the partition between the regions to be configurable by software. Inthe particular embodiment described, each bus transaction and eachregion of physical address space is described as either secure ornon-secure. If a region is described as secure, only transactions thatare also described as secure may access it, but any transaction mayaccess a region that is described as non-secure. The security of thetransaction is specified by the associated S-bit signal propagated aspart of the access request.

When a System-on-Chip is designed, the proportion of on-chip memory thatmust be secure may not be known, because the software applications thatwill be run on a system-on-chip may not be known, or because a varietyof applications with different secure memory requirements may be run onthe system. The technique of embodiments of the present inventionprovides a technique for partitioning a single physical memory intosecure and non-secure regions, and to configure the partition fromsoftware. It thereby avoids the need to provide either a fixed partitionbetween the regions, or to provide separate secure and non-securephysical memories, both of which implementations are likely to beinefficient or inadequate. The techniques of embodiments of the presentinvention also facilitate the re-use of a single System-on-Chip designfor several different applications.

It will be appreciated that the technique of embodiments of theinvention could be expanded to situations which include more than twomemory regions, which could each be described as secure or non-secure.The techniques could also be implemented on a different access controlmodel that uses more than two levels of access control, for examplenon-secure, secure level 1, secure level 2, etc.

It will also be appreciated that the functionality of the on-chip memoryadapter 5020 could be combined with the memory interface 5040, or boththe on-chip memory adapter 5020 and the protection controller 5030 couldbe incorporated as part of an access control layer of the businfrastructure 5010. As discussed earlier, the on-chip memory adapter5020 could control access to peripherals as well as to memory.

Although a particular embodiment has been described herein, it will beappreciated that the invention is not limited thereto and that manymodifications and additions thereto may be made within the scope of theinvention. For example, various combinations of the features of thefollowing dependent claims could be made with the features of theindependent claims without departing from the scope of the presentinvention.

1. A data processing apparatus operable to control access to a slavedevice, the slave device having an address range associated therewith,the apparatus comprising: control storage programmable to define apartition identifying a secure region and a non-secure region in saidaddress range, the data processing apparatus supporting a plurality ofmodes of operation including a secure mode, and the control storagebeing programmable only by software executing in said secure mode; amaster device operable to issue an access request onto a bus, the accessrequest identifying a sequence of addresses within said address rangeand including a control signal indicating whether the access request isa secure access request or a non-secure access request, the secureregion only being accessible by a secure access request; and accesscontrol logic associated with the slave device, the access control logicbeing operable to receive the access request from the bus and anindication of the partition from the control storage and, if the accessrequest is a non-secure access request, to prevent access to the secureregion.
 2. A data processing apparatus as claimed in claim 1, whereinthe address range has a base address associated therewith and thecontrol storage contains an offset value that identifies relative to thebase address a boundary forming the partition between the secure regionand the non-secure region.
 3. A data processing apparatus as claimed inclaim 1, wherein the data processing apparatus has a secure domain and anon-secure domain, in the secure domain the data processing apparatushaving access to secure data which is not accessible in the non-securedomain, the secure region containing said secure data.
 4. A dataprocessing apparatus as claimed in claim 3, wherein the control signalincluded within the access request is a domain signal identifyingwhether the access request pertains to said secure domain or saidnon-secure domain.
 5. A data processing apparatus as claimed in claim 1,wherein the master device is operable in said plurality of modes and aplurality of domains, said plurality of domains comprising a securedomain and a non-secure domain, said plurality of modes including atleast one non-secure mode being a mode in the non-secure domain and atleast one secure mode being a mode in the secure domain, said masterdevice being operable such that when executing a program in a securemode said program has access to secure data which is not accessible whensaid master device is operating in a non-secure mode, the secure regioncontaining said secure data.
 6. A data processing apparatus as claimedin claim 5, wherein when operating in said at least one secure mode, theaccess request issued by the master device is said secure accessrequest, and when operating in said at least one non-secure mode, theaccess request issued by the master device is said non-secure accessrequest.
 7. A data processing apparatus as claimed in claim 1, whereinthe access control logic comprises determination logic operable todetermine having regard to the indication of the partition whether thesequence of addresses identified by the access request at least partlylies within the secure region, and if so to check that the controlsignal included within the access request indicates that the accessrequest is a secure access request.
 8. A data processing apparatus asclaimed in claim 7, wherein the address range comprises a plurality ofblocks of a predetermined size, the partition is located at a boundarybetween two adjacent blocks of said plurality of blocks, and thesequence of addresses identified by the access request are required tobe within one of said blocks, the determination logic being operable todetermine whether a first address of said sequence is within the secureregion or the non-secure region.
 9. A data processing apparatus asclaimed in claim 7, wherein the address range exceeds the physical sizeof storage within the slave device, the determination logic beingfurther operable to determine whether the sequence of addresses at leastpartly exceeds the physical size, and if so to prevent the slave devicebeing accessed.
 10. A data processing apparatus as claimed in claim 7,wherein the access request includes a valid signal which is asserted bythe master device when the access request is issued, the access controllogic comprising valid signal propagation logic operable to receive thevalid signal and to generate a replacement valid signal for routing tothe slave device, the valid signal propagation logic being operable tode-assert the replacement valid signal in the event that thedetermination logic determines that a non-secure access request isattempting to access the secure region.
 11. A data processing apparatusas claimed in claim 7, wherein the access control logic is operable inthe event of a non-secure access request specifying a write operation toprevent the write data of the access request being provided to the slavedevice if the determination logic determines that that non-secure accessrequest is attempting to access the secure region.
 12. A data processingapparatus as claimed in claim 7, wherein the access control logic isoperable in the event of a non-secure access request specifying a readoperation to cause a default read response to be returned to the masterdevice if the determination logic determines that that non-secure accessrequest is attempting to access the secure region.
 13. A data processingapparatus as claimed in claim 1, wherein the slave device is a memory.14. A data processing apparatus as claimed in claim 13, furthercomprising a memory interface operable to access said memory, the accesscontrol logic being coupled between the bus and the memory interface.15. A data processing apparatus as claimed in claim 1, wherein the dataprocessing apparatus is a System-on-Chip, and further comprises anon-chip memory forming said slave device.
 16. Slave device control logicfor use in a data processing apparatus to control access to a slavedevice, the slave device having an address range associated therewith,the slave device control logic comprising: control storage programmableto define a partition identifying a secure region and a non-secureregion in said address range, the data processing apparatus supporting aplurality of modes of operation including a secure mode, and the controlstorage being programmable only by software executing in said securemode; and access control logic associated with the slave device, theaccess control logic being operable to receive an access request from abus and an indication of the partition from the control storage and, ifthe access request is a non-secure access request, to prevent access tothe secure region.
 17. A method of operating a data processing apparatusto control access to a slave device, the slave device having an addressrange associated therewith, the method comprising the steps of: (a)programming within a control storage a partition identifying a secureregion and a non-secure region in said address range, the dataprocessing apparatus supporting a plurality of modes of operationincluding a secure mode, and the control storage being programmable onlyby software executing in said secure mode; (b) issuing from a masterdevice an access request onto a bus, the access request identifying asequence of addresses within said address range and including a controlsignal indicating whether the access request is a secure access requestor a non-secure access request, the secure region only being accessibleby a secure access request; and (c) employing access control logicassociated with the slave device to receive the access request from thebus and an indication of the partition from the control storage and, ifthe access request is a non-secure access request, to prevent access tothe secure region.
 18. A method as claimed in claim 17, wherein theaddress range has a base address associated therewith and theprogramming step comprises programming an offset value into the controlstorage that identifies relative to the base address a boundary formingthe partition between the secure region and the non-secure region.
 19. Amethod as claimed in claim 17, wherein the data processing apparatus hasa secure domain and a non-secure domain, in the secure domain the dataprocessing apparatus having access to secure data which is notaccessible in the non-secure domain, the secure region containing saidsecure data.
 20. A method as claimed in claim 19, wherein the controlsignal included within the access request is a domain signal identifyingwhether the access request pertains to said secure domain or saidnon-secure domain.
 21. A method as claimed in claim 17, wherein themaster device is operable in said plurality of modes and a plurality ofdomains, said plurality of domains comprising a secure domain and anon-secure domain, said plurality of modes including at least onenon-secure mode being a mode in the non-secure domain and at least onesecure mode being a mode in the secure domain, said master device beingoperable such that when executing a program in a secure mode saidprogram has access to secure data which is not accessible when saidmaster device is operating in a non-secure mode, the secure regioncontaining said secure data.
 22. A method as claimed in claim 21,wherein when operating in said at least one secure mode, the accessrequest issued by the master device is said secure access request, andwhen operating in said at least one non-secure mode, the access requestissued by the master device is said non-secure access request.
 23. Amethod as claimed in claim 17, wherein said step (c) comprises the stepsof: determining having regard to the indication of the partition whetherthe sequence of addresses identified by the access request at leastpartly lies within the secure region, and if so checking that thecontrol signal included within the access request indicates that theaccess request is a secure access request.
 24. A method as claimed inclaim 23, wherein the address range comprises a plurality of blocks of apredetermined size, the partition is located at a boundary between twoadjacent blocks of said plurality of blocks, and the sequence ofaddresses identified by the access request are required to be within oneof said blocks, said determining step comprising determining whether afirst address of said sequence is within the secure region or thenon-secure region.
 25. A method as claimed in claim 23, wherein theaddress range exceeds the physical size of storage within the slavedevice, the method further comprising the steps of: determining whetherthe sequence of addresses at least partly exceeds the physical size, andif so preventing the slave device being accessed.
 26. A method asclaimed in claim 23, wherein the access request includes a valid signalwhich is asserted by the master device when the access request isissued, said step (c) further comprising the steps of: receiving thevalid signal; generating a replacement valid signal for routing to theslave device; and de-asserting the replacement valid signal in the eventthat said determining step determines that a non-secure access requestis attempting to access the secure region.
 27. A method as claimed inclaim 23, wherein in the event of a non-secure access request specifyinga write operation, the method further comprises the step of preventingthe write data of the access request being provided to the slave deviceif the determination step determines that that non-secure access requestis attempting to access the secure region.
 28. A method as claimed inclaim 23, wherein in the event of a non-secure access request specifyinga read operation, the method further comprises the step of causing adefault read response to be returned to the master device if thedetermination step determines that that non-secure access request isattempting to access the secure region.
 29. A method as claimed in claim17, wherein the slave device is a memory.
 30. A method as claimed inclaim 29, further comprising the step of employing a memory interface toaccess said memory, the access control logic being coupled between thebus and the memory interface.
 31. A method as claimed in claim 17,wherein the data processing apparatus is a System-on-Chip having anon-chip memory forming said slave device.